Support Content Notification - Support Portal

VMSA-2024-0016: VMware Cloud Director Availability addresses an HTML injection vulnerability (CVE-2024-22277)

Product/Component

VMware Cloud Director

0 more products

Notification Id

24557

Last Updated

04 July 2024

Initial Publication Date

04 July 2024

Status

OPEN

Severity

MEDIUM

CVSS Base Score

6.4

WorkAround

Affected CVE

CVE-2024-22277

Advisory ID:	VMSA-2024-0016
Severity:	Moderate
CVSSv3 Range:	6.4
Issue date:	2024-07-04
Updated on:	2024-07-04 (Initial Advisory)
CVE(s)	CVE-2024-22277
Synopsis:	VMware Cloud Director Availability addresses an HTML injection vulnerability (CVE-2024-22277)

1. Impacted Products

VMware Cloud Director Availability

2. Introduction

An HTML injection vulnerability in VMware Cloud Director Availability was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.

3. HTML injection vulnerability (CVE-2024-22277)

Description:
VMware Cloud Director Availability contains an HTML injection vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.4.

Known Attack Vectors:
A malicious actor with network access to VMware Cloud Director Availability can craft malicious HTML tags to execute within replication tasks.

Resolution:
To remediate CVE-2024-22277 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds:
None.

Additional Documentation:
None.

Acknowledgements:

VMware would like to thank Rafal Lykowski and Alexandre Labbe at A1 Digital International for reporting this issue to us.

Notes:
None.

Response Matrix:

VMware Product	Version	Running On	CVE	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VMware Cloud Director Availability	4.7.2	Any	CVE-2024-22277	N/A	N/A	Unaffected	N/A	N/A
VMware Cloud Director Availability	4.x	Any	CVE-2024-22277	6.4	Moderate	4.7.2	None	None

4. References:

Fixed Version(s) and Release Notes:

Downloads and Documentation:

https://docs.vmware.com/en/VMware-Cloud-Director-Availability/4.7.2/rn/vmware-cloud-director-availability-472-release-notes/index.html

https://support.broadcom.com/group/ecx/productfiles?subFamily=VMware%20Cloud%20Director%20Availability&displayGroup=Standard&release=4.7.2&os=&servicePk=521083&language=EN

Mitre CVE Dictionary Links:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22277

FIRST CVSSv3 Calculator:
CVE-2024-22277: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

5. Change Log:

2024-07-04 VMSA-2024-0016
Initial security advisory.

6. Contact:

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC