VMSA-2024-0015: VMware Cloud Director Object Storage Extension addresses an Insertion of Sensitive Information vulnerability (CVE-2024-22276)
24372
27 June 2024
27 June 2024
OPEN
MEDIUM
5.3
CVE-2024-22276
| Advisory ID: | VMSA-2024-0015 |
| Advisory Severity: | Moderate |
| CVSSv3 Range: | 5.3 |
| Synopsis: | VMware Cloud Director Object Storage Extension addresses an Insertion of Sensitive Information vulnerability (CVE-2024-22276) |
| Issue Date: | 2024-06-27 |
| Updated On: | 2024-06-27 (Initial Advisory) |
| CVE(s) | CVE-2024-22276 |
1. Impacted Products
-
VMware Cloud Director Object Storage Extension
2. Introduction
An Insertion of Sensitive Information vulnerability in VMware Cloud Director Object Storage Extension was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
3. Insertion of Sensitive Information vulnerability (CVE-2024-22276)
Description:
VMware Cloud Director Object Storage Extension contains an Insertion of Sensitive Information vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.
Known Attack Vectors:
A malicious actor with adjacent access to web/proxy server logging may be able to obtain sensitive information from URLs that are logged.
Resolution:
To remediate CVE-2024-22276 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.
Workarounds:
None.
Additional Documentation:
None.
Acknowledgements:
VMware would like to thank Rafal Lykowski and Alexandre Labbe at A1 Digital International for reporting this issue to us.
Notes:
None.
Response Matrix:
| VMware Product | Version | Running On | CVE | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| VMware Cloud Director Object Storage Extension | 3.1 | Any | CVE-2024-22276 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Cloud Director Object Storage Extension | 3.0 | Any | CVE-2024-22276 | 5.3 | Moderate | 3.1 | None | None |
| VMware Cloud Director Object Storage Extension | 2.x | Any | CVE-2024-22276 | 5.3 | Moderate | 2.2.3.1 | None | None |
4. References:
Fixed Version(s) and Release Notes:
Downloads and Documentation:
VMware Cloud Director Object Storage Extension 3.1:
VMware Cloud Director Object Storage Extension 2.2.3.1:
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22276
FIRST CVSSv3 Calculator:
CVE-2024-22276: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5. Change Log:
2024-06-27 VMSA-2024-0015
Initial security advisory.
6. Contact:
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2024 Broadcom All rights reserved.