CVE-2016-7462

HIGH

VMware vROps <6.4.0 - Deserialization

Title source: llm

Description

The Suite REST API in VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to write arbitrary content to files or rename files via a crafted DiskFileItem in a relay-request payload that is mishandled during deserialization.

References (4)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/94351

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1037297

[Vendor Advisory] http://www.vmware.com/security/advisories/VMSA-2016-0020.html

[Technical Description, Third Party Advisory] https://www.tenable.com/security/research/tra-2016-34

Scores

CVSS v3 8.5

EPSS 0.0167

EPSS Percentile 82.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

Details

CWE

CWE-749 CWE-264

Status published

Products (5)

vmware/vrealize_operations 6.0.0

vmware/vrealize_operations 6.1.0

vmware/vrealize_operations 6.2.0a

vmware/vrealize_operations 6.2.1

vmware/vrealize_operations 6.3.0

Published Dec 29, 2016

Tracked Since Feb 18, 2026