VMware vCenter Server is an advanced server management software that provides a centralized platform for controlling vSphere environments for visibility across hybrid clouds. You can quickly deploy vCenter Server as a pre-packaged, optimized, and easy-to-maintain virtual appliance. The following disclosure vulnerability was reported to VMware by Yuval Lazar (@Ul7raVi0l3t) of Pentera. To remediate this vulnerability, apply the patch in the response matrix below as it applies to you.
The vCenter Server contains an information disclosure vulnerability due to improper permission of files. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.Below are the affected products
- VMware vCenter Server (vCenter Server)
- VMware Cloud Foundation (Cloud Foundation)
An information disclosure vulnerability in VMware vCenter Server was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
Known Attack Vectors
A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.
Resolution
To remediate CVE-2022-22948 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below the response matrix.
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| vCenter Server | 7.0 | Any | CVE-2022-22948 | 5.5 | Moderate | 7.0 U3d | None | None |
| vCenter Server | 6.7 | Virtual Appliance | CVE-2022-22948 | 5.5 | Moderate | 6.7 U3p | None | None |
| vCenter Server | 6.7 | Windows | CVE-2022-22948 | N/A | N/A | Unaffected | N/A | N/A |
| vCenter Server | 6.5 | Virtual Appliance | CVE-2022-22948 | 5.5 | Moderate | 6.5 U3r | None | None |
| vCenter Server | 6.5 | Windows | CVE-2022-22948 | N/A | N/A | Unaffected | N/A | N/A |
Impacted Product Suites that Deploy Response Matrix Components
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Cloud Foundation (vCenter Server) | 4.x | Any | CVE-2022-22948 | 5.5 | Moderate | Patch pending | None | None |
| Cloud Foundation (vCenter Server) | 3.x | Any | CVE-2022-22948 | 5.5 | Moderate | 3.11 | None | None |
You may want to learn more about this disclosure. Kindly click on the following link1, or link2.