Search criteria
4 vulnerabilities found for VMware Tanzu GemFire for VMs by VMware Tanzu
CVE-2020-5396 (GCVE-0-2020-5396)
Vulnerability from cvelistv5 – Published: 2020-07-31 19:40 – Updated: 2024-09-16 16:23
VLAI?
Title
JMX Insecure Default Configuration in GemFire
Summary
VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control - Generic
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| VMware Tanzu | VMware Tanzu GemFire for VMs |
Affected:
1.10 , < 1.10.2
(custom)
Affected: 1.11 , < 1.11.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VMware Tanzu GemFire for VMs",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.10",
"versionType": "custom"
},
{
"lessThan": "1.11.1",
"status": "affected",
"version": "1.11",
"versionType": "custom"
}
]
},
{
"product": "VMware GemFire",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "9.7.6",
"status": "affected",
"version": "9.7",
"versionType": "custom"
},
{
"lessThan": "9.8.7",
"status": "affected",
"version": "9.8",
"versionType": "custom"
},
{
"lessThan": "9.9.2",
"status": "affected",
"version": "9.9",
"versionType": "custom"
},
{
"lessThan": "9.10.0",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:40:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JMX Insecure Default Configuration in GemFire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-30T23:27:40.000Z",
"ID": "CVE-2020-5396",
"STATE": "PUBLIC",
"TITLE": "JMX Insecure Default Configuration in GemFire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VMware Tanzu GemFire for VMs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10.2"
},
{
"version_affected": "\u003c",
"version_name": "1.11",
"version_value": "1.11.1"
}
]
}
},
{
"product_name": "VMware GemFire",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7",
"version_value": "9.7.6"
},
{
"version_affected": "\u003c",
"version_name": "9.8",
"version_value": "9.8.7"
},
{
"version_affected": "\u003c",
"version_name": "9.9",
"version_value": "9.9.2"
},
{
"version_affected": "\u003c",
"version_name": "9.10",
"version_value": "9.10.0"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution."
}
]
},
"impact": null,
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5396",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5396",
"datePublished": "2020-07-31T19:40:19.558489Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T16:23:21.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11286 (GCVE-0-2019-11286)
Vulnerability from cvelistv5 – Published: 2020-07-31 19:40 – Updated: 2024-09-16 23:46
VLAI?
Title
JMX Credential Deserialization in GemFire
Summary
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution.
Severity ?
9 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| VMware Tanzu | VMware GemFire |
Affected:
9.7 , < 9.7.5
(custom)
Affected: 9.8 , < 9.8.5 (custom) Affected: 9.9 , < 9.9.1 (custom) Affected: 9.10 , < 9.10.0 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VMware GemFire",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "9.7.5",
"status": "affected",
"version": "9.7",
"versionType": "custom"
},
{
"lessThan": "9.8.5",
"status": "affected",
"version": "9.8",
"versionType": "custom"
},
{
"lessThan": "9.9.1",
"status": "affected",
"version": "9.9",
"versionType": "custom"
},
{
"lessThan": "9.10.0",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
},
{
"product": "VMware Tanzu GemFire for VMs",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "1.9",
"versionType": "custom"
},
{
"lessThan": "1.10.1",
"status": "affected",
"version": "1.10",
"versionType": "custom"
},
{
"lessThan": "1.8.2",
"status": "affected",
"version": "1.8",
"versionType": "custom"
},
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.11",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:40:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JMX Credential Deserialization in GemFire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-30T23:27:23.000Z",
"ID": "CVE-2019-11286",
"STATE": "PUBLIC",
"TITLE": "JMX Credential Deserialization in GemFire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VMware GemFire",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7",
"version_value": "9.7.5"
},
{
"version_affected": "\u003c",
"version_name": "9.8",
"version_value": "9.8.5"
},
{
"version_affected": "\u003c",
"version_name": "9.9",
"version_value": "9.9.1"
},
{
"version_affected": "\u003c",
"version_name": "9.10",
"version_value": "9.10.0"
}
]
}
},
{
"product_name": "VMware Tanzu GemFire for VMs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.9",
"version_value": "1.9.2"
},
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10.1"
},
{
"version_affected": "\u003c",
"version_name": "1.8",
"version_value": "1.8.2"
},
{
"version_affected": "\u003c",
"version_name": "1.11",
"version_value": "1.11.0"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2019-11286",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11286",
"datePublished": "2020-07-31T19:40:19.094851Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T23:46:18.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-5396 (GCVE-0-2020-5396)
Vulnerability from nvd – Published: 2020-07-31 19:40 – Updated: 2024-09-16 16:23
VLAI?
Title
JMX Insecure Default Configuration in GemFire
Summary
VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution.
Severity ?
No CVSS data available.
CWE
- CWE-284 - Improper Access Control - Generic
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| VMware Tanzu | VMware Tanzu GemFire for VMs |
Affected:
1.10 , < 1.10.2
(custom)
Affected: 1.11 , < 1.11.1 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T08:30:24.241Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VMware Tanzu GemFire for VMs",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "1.10.2",
"status": "affected",
"version": "1.10",
"versionType": "custom"
},
{
"lessThan": "1.11.1",
"status": "affected",
"version": "1.11",
"versionType": "custom"
}
]
},
{
"product": "VMware GemFire",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "9.7.6",
"status": "affected",
"version": "9.7",
"versionType": "custom"
},
{
"lessThan": "9.8.7",
"status": "affected",
"version": "9.8",
"versionType": "custom"
},
{
"lessThan": "9.9.2",
"status": "affected",
"version": "9.9",
"versionType": "custom"
},
{
"lessThan": "9.10.0",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:40:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JMX Insecure Default Configuration in GemFire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-30T23:27:40.000Z",
"ID": "CVE-2020-5396",
"STATE": "PUBLIC",
"TITLE": "JMX Insecure Default Configuration in GemFire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VMware Tanzu GemFire for VMs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10.2"
},
{
"version_affected": "\u003c",
"version_name": "1.11",
"version_value": "1.11.1"
}
]
}
},
{
"product_name": "VMware GemFire",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7",
"version_value": "9.7.6"
},
{
"version_affected": "\u003c",
"version_name": "9.8",
"version_value": "9.8.7"
},
{
"version_affected": "\u003c",
"version_name": "9.9",
"version_value": "9.9.2"
},
{
"version_affected": "\u003c",
"version_name": "9.10",
"version_value": "9.10.0"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.2, 9.8.7, and 9.7.6, and VMware Tanzu GemFire for VMs versions prior to 1.11.1 and 1.10.2, when deployed without a SecurityManager, contain a JMX service available which contains an insecure default configuration. This allows a malicious user to create an MLet mbean leading to remote code execution."
}
]
},
"impact": null,
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284: Improper Access Control - Generic"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2020-5396",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2020-5396"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2020-5396",
"datePublished": "2020-07-31T19:40:19.558489Z",
"dateReserved": "2020-01-03T00:00:00",
"dateUpdated": "2024-09-16T16:23:21.490Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-11286 (GCVE-0-2019-11286)
Vulnerability from nvd – Published: 2020-07-31 19:40 – Updated: 2024-09-16 23:46
VLAI?
Title
JMX Credential Deserialization in GemFire
Summary
VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution.
Severity ?
9 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| VMware Tanzu | VMware GemFire |
Affected:
9.7 , < 9.7.5
(custom)
Affected: 9.8 , < 9.8.5 (custom) Affected: 9.9 , < 9.9.1 (custom) Affected: 9.10 , < 9.10.0 (custom) |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T22:48:09.058Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "VMware GemFire",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "9.7.5",
"status": "affected",
"version": "9.7",
"versionType": "custom"
},
{
"lessThan": "9.8.5",
"status": "affected",
"version": "9.8",
"versionType": "custom"
},
{
"lessThan": "9.9.1",
"status": "affected",
"version": "9.9",
"versionType": "custom"
},
{
"lessThan": "9.10.0",
"status": "affected",
"version": "9.10",
"versionType": "custom"
}
]
},
{
"product": "VMware Tanzu GemFire for VMs",
"vendor": "VMware Tanzu",
"versions": [
{
"lessThan": "1.9.2",
"status": "affected",
"version": "1.9",
"versionType": "custom"
},
{
"lessThan": "1.10.1",
"status": "affected",
"version": "1.10",
"versionType": "custom"
},
{
"lessThan": "1.8.2",
"status": "affected",
"version": "1.8",
"versionType": "custom"
},
{
"lessThan": "1.11.0",
"status": "affected",
"version": "1.11",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-07-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-31T19:40:19",
"orgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"shortName": "pivotal"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "JMX Credential Deserialization in GemFire",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@pivotal.io",
"DATE_PUBLIC": "2020-07-30T23:27:23.000Z",
"ID": "CVE-2019-11286",
"STATE": "PUBLIC",
"TITLE": "JMX Credential Deserialization in GemFire"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "VMware GemFire",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "9.7",
"version_value": "9.7.5"
},
{
"version_affected": "\u003c",
"version_name": "9.8",
"version_value": "9.8.5"
},
{
"version_affected": "\u003c",
"version_name": "9.9",
"version_value": "9.9.1"
},
{
"version_affected": "\u003c",
"version_name": "9.10",
"version_value": "9.10.0"
}
]
}
},
{
"product_name": "VMware Tanzu GemFire for VMs",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "1.9",
"version_value": "1.9.2"
},
{
"version_affected": "\u003c",
"version_name": "1.10",
"version_value": "1.10.1"
},
{
"version_affected": "\u003c",
"version_name": "1.8",
"version_value": "1.8.2"
},
{
"version_affected": "\u003c",
"version_name": "1.11",
"version_value": "1.11.0"
}
]
}
}
]
},
"vendor_name": "VMware Tanzu"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502: Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2019-11286",
"refsource": "CONFIRM",
"url": "https://tanzu.vmware.com/security/cve-2019-11286"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "862b2186-222f-48b9-af87-f1fb7bb26d03",
"assignerShortName": "pivotal",
"cveId": "CVE-2019-11286",
"datePublished": "2020-07-31T19:40:19.094851Z",
"dateReserved": "2019-04-18T00:00:00",
"dateUpdated": "2024-09-16T23:46:18.238Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}