Homepage
About Snyk

Authentication Bypass Affecting com.vmware.xenon:xenon-common package, versions [,1.1.0-CR0-3) [1.1.0-CR1,1.1.0-CR3_1) [1.1.0-CR4,1.3.7-CR1_2) [1.4.0,1.4.2-CR4_1) [1.5.0,1.5.4-CR6_2) [1.5.4-CR7,1.5.4-CR7_1] [1.5.5,1.5.7_9)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.36% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-COMVMWAREXENON-31636
  • published 21 Feb 2018
  • disclosed 12 Feb 2018
  • credit George Chrysanthakopoulos
Report a new vulnerability Found a mistake?

Introduced: 12 Feb 2018

CVE-2017-4952 Open this link in a new tab
CWE-592 Open this link in a new tab

How to fix?

Upgrade com.vmware.xenon:xenon-common to version 1.5.4-CR7_1, 1.5.4_7, 1.5.4-CR6_2, 1.5.4_8, 1.4.2-CR4_1, 1.3.7-CR1_2, 1.1.0-CR0-3, 1.1.0-CR3_1 or higher.

Overview

Affected versions of com.vmware.xenon:xenon-common are vulnerable to Authentication Bypass due to insufficient access controls for utility endpoints. Successful exploitation of this issue may result in information disclosure.

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None