Bug 294215 (CVE-2010-0686)

Comment 1 Stefan Behte (RETIRED) 2009-11-23 17:45:06 UTC

It's app-emulation/vmware-server, I had a litte copy&paste accident there.

*** Bug 294567 has been marked as a duplicate of this bug. ***

Comment 3 Stefan Behte (RETIRED) 2010-04-06 04:05:09 UTC

CVE-2010-0686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0686):
  WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server 2.0,
  and VMware ESX 3.0.3 and 3.5 allows remote attackers to leverage
  proxy-server functionality to spoof the origin of requests via
  unspecified vectors, related to a "URL forwarding vulnerability."

Comment 4 Vadim Kuznetsov (RETIRED) 2010-04-06 15:38:34 UTC

(In reply to comment #3)
> CVE-2010-0686 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0686):
>   WebAccess in VMware VirtualCenter 2.0.2 and 2.5, VMware Server 2.0,
>   and VMware ESX 3.0.3 and 3.5 allows remote attackers to leverage
>   proxy-server functionality to spoof the origin of requests via
>   unspecified vectors, related to a "URL forwarding vulnerability."
> 

According to http://www.vmware.com/security/advisories/VMSA-2010-0005.html
a. WebAccess Context Data Cross-site Scripting Vulnerability
hosted **      any       any      not affected    
b. WebAccess Virtual Machine Name Cross-site Scripting Vulnerability
Server         2.0       any      not affected
Server         1.0       any      not being fixed at this time ***
c. WebAccess URL Forwarding Vulnerability
Server         2.0       any      not being fixed at this time *
d. WebAccess JSON Cross-site Scripting Vulnerability
Server         2.0       any      not being fixed at this time *

Solution:
* Use the workaround of disabling WebAccess to remediate the issue.

Comment 5 Tim Sammut (RETIRED) 2011-10-24 03:53:57 UTC

VMware server has been removed from the tree. Closing noglsa for ~arch only package.