VMware Tanzu products update for rsync
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2022-29154 |
| CWE-ID | CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
VMware Tanzu Application Service for VMs Server applications / Other server solutions Isolation Segment Server applications / Other server solutions Platform Automation Toolkit Other software / Other software solutions VMware Tanzu Operations Manager Server applications / Virtualization software |
| Vendor | VMware, Inc |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Path traversal
EUVDB-ID: #VU66189
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-29154
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote server to perform directory traversal attacks.
The vulnerability exists due to input validation error within the rsync client when processing file names. A remote malicious server overwrite arbitrary files in the rsync client target directory and subdirectories on the connected peer.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVMware Tanzu Application Service for VMs: All versions
Isolation Segment: All versions
Platform Automation Toolkit: before 5.1.1
VMware Tanzu Operations Manager: before 3.0.5
External linkshttp://tanzu.vmware.com/security/usn-5921-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
