VMSA-2024-0015: VMware Cloud Director Object Storage Extension addresses an Insertion of Sensitive Information vulnerability (CVE-2024-22276)

VMware Cloud Director Object Storage Extension

0 more products

24372

27 June 2024

27 June 2024

OPEN

MEDIUM

5.3

CVE-2024-22276

Advisory ID: VMSA-2024-0015
Advisory Severity: Moderate
CVSSv3 Range: 5.3
Synopsis: VMware Cloud Director Object Storage Extension addresses an Insertion of Sensitive Information vulnerability (CVE-2024-22276)
Issue Date: 2024-06-27
Updated On: 2024-06-27 (Initial Advisory)
CVE(s) CVE-2024-22276

 

1. Impacted Products

  • VMware Cloud Director Object Storage Extension

2. Introduction

An Insertion of Sensitive Information vulnerability in VMware Cloud Director Object Storage Extension was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3. Insertion of Sensitive Information vulnerability (CVE-2024-22276)

Description: 
VMware Cloud Director Object Storage Extension contains an Insertion of Sensitive Information vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors:
A malicious actor with adjacent access to web/proxy server logging may be able to obtain sensitive information from URLs that are logged.

Resolution: 
To remediate CVE-2024-22276 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
None.

Additional Documentation:
None.

Acknowledgements: 

VMware would like to thank Rafal Lykowski and Alexandre Labbe at A1 Digital International for reporting this issue to us.

Notes:
None.

Response Matrix:

VMware Product Version Running On CVE CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Cloud Director Object Storage Extension 3.1 Any CVE-2024-22276 N/A N/A Unaffected N/A N/A
VMware Cloud Director Object Storage Extension 3.0 Any CVE-2024-22276 5.3 Moderate 3.1 None None
VMware Cloud Director Object Storage Extension 2.x Any CVE-2024-22276 5.3 Moderate 2.2.3.1 None None

 

4. References:

Fixed Version(s) and Release Notes:

Downloads and Documentation:

VMware Cloud Director Object Storage Extension 3.1:

https://docs.vmware.com/en/VMware-Cloud-Director-Object-Storage-Extension/3.1/rn/vmware-cloud-director-object-storage-extension-31-release-notes/index.html

https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Cloud%20Director%20Object%20Storage%20Extension&displayGroup=VMware%20Cloud%20Director%20Object%20Storage%20Extension&release=3.1&os=&servicePk=521023&language=EN

VMware Cloud Director Object Storage Extension 2.2.3.1:

https://docs.vmware.com/en/VMware-Cloud-Director-Object-Storage-Extension/2.2.3.1/rn/vmware-cloud-director-object-storage-extension-2231-release-notes/index.html

https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Cloud%20Director%20Object%20Storage%20Extension&displayGroup=VMware%20Cloud%20Director%20Object%20Storage%20Extension&release=2.2.3.1&os=&servicePk=521487&language=EN

 

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22276

 

FIRST CVSSv3 Calculator:
CVE-2024-22276: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

5. Change Log:

2024-06-27 VMSA-2024-0015
Initial security advisory.

6. Contact:

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

Copyright 2024 Broadcom All rights reserved.