Vulnerability Description
VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate validation. A malicious actor with network positioning between vCenter Server and an update repository may be able to perform a session hijack when the vCenter Server Appliance Management Interface is used to download vCenter updates.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Cloud Foundation | >= 3.0, < 3.9 |
| Vmware | Vcenter Server | 6.5 |
Related Weaknesses (CWE)
References
- https://www.vmware.com/security/advisories/VMSA-2020-0023.htmlPatchVendor Advisory
- https://www.vmware.com/security/advisories/VMSA-2020-0023.htmlPatchVendor Advisory
FAQ
What is CVE-2020-3994?
CVE-2020-3994 is a vulnerability with a CVSS score of 7.4 (HIGH). VMware vCenter Server (6.7 before 6.7u3, 6.6 before 6.5u3k) contains a session hijack vulnerability in the vCenter Server Appliance Management Interface update function due to a lack of certificate va...
How severe is CVE-2020-3994?
CVE-2020-3994 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-3994?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Cloud Foundation, Vmware Vcenter Server.