First published: Mon Oct 28 2019(Updated: )
Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over FTPS and HTTPS. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations.
Credit: security@vmware.com
Affected Software | Affected Version | How to fix |
---|---|---|
VMware vCenter Server | =6.5 | |
VMware vCenter Server | =6.5-a | |
VMware vCenter Server | =6.5-b | |
VMware vCenter Server | =6.5-c | |
VMware vCenter Server | =6.5-d | |
VMware vCenter Server | =6.5-e | |
VMware vCenter Server | =6.5-f | |
VMware vCenter Server | =6.5-update1 | |
VMware vCenter Server | =6.5-update1b | |
VMware vCenter Server | =6.5-update1c | |
VMware vCenter Server | =6.5-update1d | |
VMware vCenter Server | =6.5-update1e | |
VMware vCenter Server | =6.5-update1g | |
VMware vCenter Server | =6.5-update2 | |
VMware vCenter Server | =6.5-update2b | |
VMware vCenter Server | =6.5-update2c | |
VMware vCenter Server | =6.5-update2d | |
VMware vCenter Server | =6.5-update2g | |
VMware vCenter Server | =6.5-update3 | |
VMware vCenter Server | =6.7 | |
VMware vCenter Server | =6.7-a | |
VMware vCenter Server | =6.7-b | |
VMware vCenter Server | =6.7-d | |
VMware vCenter Server | =6.7-update1 | |
VMware vCenter Server | =6.7-update1b | |
VMware vCenter Server | =6.7-update2 | |
VMware vCenter Server | =6.7-update2a | |
VMware vCenter Server | =6.7-update2c | |
VMware vCenter Server | =6.7-update3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-5537 is a sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance.
The severity of CVE-2019-5537 is medium with a CVSS score of 5.9.
VMware vCenter Server versions 6.7 before 6.7u3a and 6.5 before 6.5u3d are affected by CVE-2019-5537.
A malicious actor can exploit CVE-2019-5537 by intercepting sensitive data in transit over FTPS during File-Based Backup and Restore operations on affected VMware vCenter Server versions.
You can find more information about CVE-2019-5537 at the following reference: https://www.vmware.com/security/advisories/VMSA-2019-0018.html