| Vulnerability Name: | CVE-2014-4632 (CCN-100866) | ||||||||
| Assigned: | 2014-06-24 | ||||||||
| Published: | 2015-01-29 | ||||||||
| Updated: | 2017-08-29 | ||||||||
| Summary: | VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 and the proxy client in EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x do not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certificate. | ||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
| ||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N) 3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-310 | ||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||
| References: | Source: BUGTRAQ Type: UNKNOWN 20150130 ESA-2015-006: EMC Avamar Missing Certificate Validation Vulnerability Source: CCN Type: EMC Security Advisory ESA-2015-006 EMC Avamar Missing Certificate Validation Vulnerability Source: MITRE Type: CNA CVE-2014-4632 Source: CCN Type: BID-72367 VMware vSphere Data Protection CVE-2014-4632 Certificate Validation Security Bypass Vulnerability Source: SECTRACK Type: UNKNOWN 1031664 Source: CONFIRM Type: Vendor Advisory http://www.vmware.com/security/advisories/VMSA-2015-0002.html Source: XF Type: UNKNOWN emc-vmware-cve20144632-sec-bypass(100866) Source: XF Type: UNKNOWN emc-vmware-cve20144632-sec-bypass(100866) Source: CCN Type: VMSA-2015-0002 VMware vSphere Data Protection product update addresses a certificate validation vulnerability | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||