VMSA-2024-0014:VMware Cloud Director addresses an improper privilege management vulnerability (CVE-2024-22272)
24371
27 June 2024
27 June 2024
OPEN
MEDIUM
4.9
CVE-2024-22272
| Advisory ID: | VMSA-2024-0014 |
| Advisory Severity: | Moderate |
| CVSSv3 Range: | 4.9 |
| Synopsis: | VMware Cloud Director addresses an Improper Privilege Management vulnerability (CVE-2024-22272) |
| Issue Date: | 2024-06-27 |
| Updated on: | 2024-06-27 |
| CVE(s): | CVE-2024-22272 |
1. Impacted Products
-
VMware Cloud Director
2. Introduction
An Improper Privilege Management vulnerability in VMware Cloud Director was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
3. Improper Privilege Management vulnerability (CVE-2024-22272)
Description:
VMware Cloud Director contains an Improper Privilege Management vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.9.
Known Attack Vectors:
An authenticated tenant administrator for a given organization within VMware Cloud Director may be able to accidentally disable their organization leading to a Denial of Service for active sessions within their own organization's scope.
Resolution:
To remediate CVE-2024-22272 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Andrei Agape of Telia for reporting this issue to us.
Notes:
None.
Response Matrix:
| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workaround | Additional Documentation |
| VMware Cloud Director | 10.6 | Any | CVE-2024-22272 | N/A | N/A | Unaffected | None | None |
| VMware Cloud Director | 10.5.x/10.4.x | Any | CVE-2024-22272 | 4.9 | Moderate | 10.6 | None | None |
4. References:
Fixed Version(s) and Release Notes:
Downloads and Documentation:
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22272
FIRST CVSSv3 Calculator:
CVE-2024-22272: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
5. Change Log:
2024-06-27 VMSA-2024-0014
Initial security advisory.
6. Contact:
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2024 Broadcom All rights reserved.