CVE-2011-2217: Buffer Overflow
First published: Mon Jun 06 2011(Updated: )
Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Tom Sawyer Get Extension Factory | =5.5.2.237 | |
| VMware vSphere Client | =2.0.2 | |
| VMware vSphere Client | =2.5 | |
| VMware Virtual Infrastructure Client | =3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=911
- http://secunia.com/advisories/44826
- http://securitytracker.com/id?1025602
- http://www.securityfocus.com/bid/48099
- http://www.vmware.com/security/advisories/VMSA-2011-0009.html
- http://secunia.com/advisories/44844
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67816
Frequently Asked Questions
What is the severity of CVE-2011-2217?
CVE-2011-2217 is considered a critical vulnerability due to potential exploitation leading to arbitrary code execution.
How do I fix CVE-2011-2217?
To fix CVE-2011-2217, upgrade to the latest version of Tom Sawyer Get Extension Factory and VMware Infrastructure Client that are patched against this vulnerability.
What systems are affected by CVE-2011-2217?
CVE-2011-2217 affects Tom Sawyer GET Extension Factory version 5.5.2.237 and VMware Virtual Infrastructure Client versions 2.0.2 and 2.5.
What kind of attacks can be executed due to CVE-2011-2217?
Exploitation of CVE-2011-2217 can allow an attacker to execute arbitrary code on the affected systems.
Is CVE-2011-2217 a zero-day vulnerability?
CVE-2011-2217 is not a zero-day vulnerability as it was disclosed publicly and patches are available.
- collector/nvd-historical
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/tomsawyer
- canonical/tom sawyer get extension factory
- version/tom sawyer get extension factory/5.5.2.237
- vendor/vmware
- canonical/vmware vsphere client
- version/vmware vsphere client/2.0.2
- version/vmware vsphere client/2.5
- canonical/vmware virtual infrastructure client
- version/vmware virtual infrastructure client/3