logo
DATABASE RESOURCES PRICING ABOUT US

VMware vRealize Operations Manager ver 6.x < 6.40 Suite API CollectorHttpRelayController RelayRequest Object DiskFileItem Deserialization DoS

Description

The version of VMware vRealize Operations (vROps) Manager running on the remote web server is 6.x prior to 6.40. It is, therefore, affected by a flaw in the Suite API CollectorHttpRelayController component due to improper validation of DiskFileItem objects stored in the 'relay-request' XML before attempting deserialization. An authenticated, remote attacker can exploit this issue, via a specially crafted DiskFileItem object embedded in the XML, to move or write arbitrary content to files, resulting in a denial of service condition.


Related