CVE-2019-5538
First published: Mon Oct 28 2019(Updated: )
Sensitive information disclosure vulnerability resulting from a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance (6.7 before 6.7u3a and 6.5 before 6.5u3d) may allow a malicious actor to intercept sensitive data in transit over SCP. A malicious actor with man-in-the-middle positioning between vCenter Server Appliance and a backup target may be able to intercept sensitive data in transit during File-Based Backup and Restore operations.
Credit: security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| VMware vCenter Server | =6.5 | |
| VMware vCenter Server | =6.5-a | |
| VMware vCenter Server | =6.5-b | |
| VMware vCenter Server | =6.5-c | |
| VMware vCenter Server | =6.5-d | |
| VMware vCenter Server | =6.5-e | |
| VMware vCenter Server | =6.5-f | |
| VMware vCenter Server | =6.5-update1 | |
| VMware vCenter Server | =6.5-update1b | |
| VMware vCenter Server | =6.5-update1c | |
| VMware vCenter Server | =6.5-update1d | |
| VMware vCenter Server | =6.5-update1e | |
| VMware vCenter Server | =6.5-update1g | |
| VMware vCenter Server | =6.5-update2 | |
| VMware vCenter Server | =6.5-update2b | |
| VMware vCenter Server | =6.5-update2c | |
| VMware vCenter Server | =6.5-update2d | |
| VMware vCenter Server | =6.5-update2g | |
| VMware vCenter Server | =6.5-update3 | |
| VMware vCenter Server | =6.7 | |
| VMware vCenter Server | =6.7-a | |
| VMware vCenter Server | =6.7-b | |
| VMware vCenter Server | =6.7-d | |
| VMware vCenter Server | =6.7-update1 | |
| VMware vCenter Server | =6.7-update1b | |
| VMware vCenter Server | =6.7-update2 | |
| VMware vCenter Server | =6.7-update2a | |
| VMware vCenter Server | =6.7-update2c | |
| VMware vCenter Server | =6.7-update3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is CVE-2019-5538?
CVE-2019-5538 is a sensitive information disclosure vulnerability in VMware vCenter Server Appliance.
How does CVE-2019-5538 occur?
CVE-2019-5538 occurs due to a lack of certificate validation during the File-Based Backup and Restore operations of VMware vCenter Server Appliance.
What is the severity of CVE-2019-5538?
The severity of CVE-2019-5538 is medium with a CVSS score of 5.9.
Which versions of VMware vCenter Server Appliance are affected by CVE-2019-5538?
VMware vCenter Server Appliance versions 6.7 before 6.7u3a and 6.5 before 6.5u3d are affected by CVE-2019-5538.
How can I fix CVE-2019-5538?
To fix CVE-2019-5538, update VMware vCenter Server Appliance to version 6.7u3a or 6.5u3d.
- collector/nvd-index
- vendor/vmware
- canonical/vmware vcenter server
- version/vmware vcenter server/6.5
- version/vmware vcenter server/6.5-a
- version/vmware vcenter server/6.5-b
- version/vmware vcenter server/6.5-c
- version/vmware vcenter server/6.5-d
- version/vmware vcenter server/6.5-e
- version/vmware vcenter server/6.5-f
- version/vmware vcenter server/6.5-update1
- version/vmware vcenter server/6.5-update1b
- version/vmware vcenter server/6.5-update1c
- version/vmware vcenter server/6.5-update1d
- version/vmware vcenter server/6.5-update1e
- version/vmware vcenter server/6.5-update1g
- version/vmware vcenter server/6.5-update2
- version/vmware vcenter server/6.5-update2b
- version/vmware vcenter server/6.5-update2c
- version/vmware vcenter server/6.5-update2d
- version/vmware vcenter server/6.5-update2g
- version/vmware vcenter server/6.5-update3
- version/vmware vcenter server/6.7
- version/vmware vcenter server/6.7-a
- version/vmware vcenter server/6.7-b
- version/vmware vcenter server/6.7-d
- version/vmware vcenter server/6.7-update1
- version/vmware vcenter server/6.7-update1b
- version/vmware vcenter server/6.7-update2
- version/vmware vcenter server/6.7-update2a
- version/vmware vcenter server/6.7-update2c
- version/vmware vcenter server/6.7-update3