Allele Security Alert
ASA-2019-00559
Identifier(s)
ASA-2019-00559, CVE-2019-5531, VMSA-2019-0013
Title
Information disclosure vulnerability
Vendor(s)
VMware
Product(s)
VMware vSphere ESXi (ESXi)
VMware vCenter Server (vCenter)
Affected version(s)
VMware vSphere ESXi Host Client 6.7 versions before ESXi670-201810101-SG
VMware vSphere ESXi Host Client 6.5 versions before ESXi650-201811102-SG
VMware vSphere ESXi Host Client 6.0 versions before ESXi600-201807103-SG
VMware vCenter Server vSphere Client 6.7 versions before 6.7 U1b
VMware vCenter Server vSphere Client 6.5 versions before 6.5 U2b
VMware vCenter Server vSphere Web Client 6.7 versions before 6.7 U1b
VMware vCenter Server vSphere Web Client 6.5 versions before 6.5 U2b
VMware vCenter Server vSphere Web Client 6.0 versions before 6.0 U3j
Fixed version(s)
VMware vSphere ESXi Host Client 6.7 version ESXi670-201810101-SG
VMware vSphere ESXi Host Client 6.5 version ESXi650-201811102-SG
VMware vSphere ESXi Host Client 6.0 version ESXi600-201807103-SG
VMware vCenter Server vSphere Client 6.7 version 6.7 U1b
VMware vCenter Server vSphere Client 6.5 version 6.5 U2b
VMware vCenter Server vSphere Web Client 6.7 version 6.7 U1b
VMware vCenter Server vSphere Web Client 6.5 version 6.5 U2b
VMware vCenter Server vSphere Web Client 6.0 version 6.0 U3j
Proof of concept
Unknown
Description
An information disclosure vulnerability in clients arising from insufficient session expiration. An attacker with physical access or an ability to mimic a websocket connection to a user’s browser may be able to obtain control of a VM Console after the user has logged out or their session has timed out.
Technical details
Unknown
Credits
Dejan Zelic
Reference(s)
VMSA-2019-0013.1
https://www.vmware.com/security/advisories/VMSA-2019-0013.html
CVE-2019-5531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5531
CVE-2019-5531
https://nvd.nist.gov/vuln/detail/CVE-2019-5531
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 13, 2019