Cybersecurity researchers today disclosed details for a new vulnerability in VMware’s Cloud Director platform that could potentially allow an attacker to gain access to sensitive information and control private clouds within an entire infrastructure.
Tracked as CVE-2020-3956, the code injection flaw stems from an improper input handling that could be abused by an authenticated attacker to send malicious traffic to Cloud Director, leading to the execution of arbitrary code.
It’s rated 8.8 out of 10 on the CVSS v.3 vulnerability severity scale, making it a critical vulnerability.
VMware Cloud Director is a popular deployment, automation, and management software that’s used to operate and manage cloud resources, allowing businesses to data centers distributed across different geographical locations into virtual data centers.
According to the company, the vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface, and API access.
The vulnerability impacts VMware Cloud Director versions 10.0.x before 10.0.0.2, 9.7.0.x before 22.214.171.124, 9.5.0.x before 126.96.36.199, and 9.1.0.x before 188.8.131.52.
The vulnerability was identified by a Prague-based ethical…