Description
VMware vSphere Data Protection (VDP) 5.1, 5.5 before 5.5.9, and 5.8 before 5.8.1 and the proxy client in EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x do not properly verify X.509 certificates from vCenter Server SSL servers, which allows man-in-the-middle attackers to spoof servers, and bypass intended backup and restore access restrictions, via a crafted certificate.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
http://www.vmware.com/security/advisories/VMSA-2015-0002.html
Third Party Advisory mailing-list
x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2015-01/0154.html
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/100866
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1031664
Scores
EPSS
0.0014
EPSS Percentile
34.1%
Details
CWE
CWE-310
Status
published
Products (6)
vmware/vsphere_data_protection
5.1
vmware/vsphere_data_protection
5.5.1
vmware/vsphere_data_protection
5.5.6
vmware/vsphere_data_protection
5.5.7
vmware/vsphere_data_protection
5.5.8
vmware/vsphere_data_protection
5.8.0
Published
Feb 01, 2015
Tracked Since
Feb 18, 2026