CVE-2019-5534

HIGH

VMware vCenter Server < 6.7 U3, < 6.5 U3, < 6.0 U3j - Unprotected Credential Exposure via vAppConfig Properties

Title source: llm

Description

VMware vCenter Server (6.7.x prior to 6.7 U3, 6.5 prior to 6.5 U3 and 6.0 prior to 6.0 U3j) contains an information disclosure vulnerability where Virtual Machines deployed from an OVF could expose login information via the virtual machine's vAppConfig properties. A malicious actor with access to query the vAppConfig properties of a virtual machine deployed from an OVF may be able to view the credentials used to deploy the OVF (typically the root account of the virtual machine).

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://www.vmware.com/security/advisories/VMSA-2019-0013.html

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/154536/VMware-Security-Advisory-2019-0013.html

Scores

CVSS v3 7.7

EPSS 0.0036

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Details

CWE

CWE-522 CWE-200

Status published

Products (3)

vmware/vcenter_server 6.0 (18 CPE variants)

vmware/vcenter_server 6.7 (10 CPE variants)

vmware/vcenter_server 6.5 (16 CPE variants)

Published Sep 18, 2019

Tracked Since Feb 18, 2026