VMware issues 10.0 CVSS rating on vCenter Server vulnerability
scmagazine | April 13, 2020
VMWare issued a warning and patch for a vulnerability in its VMware vCenter Server that maxed out the CVSS rating system by garnering a 10.0. The issue, CVE-2020-3952, centers on the vmdir that ships with VMWare vCenter Server as it does not properly implement access controls. To exploit this vulnerability a malicious actor would have to have network access to an affected vmdir deployment giving them the ability to extract highly sensitive information which then could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication. Satnam Narang, principal research engineer at Tenable, pointed out that VMWare listed only a limited set of vCenter Servers affected by this flaw, specifically version 6.7 upgraded from version 6.0 and 6.5. Narang also suggested that by giving the flaw a 10.0 CVSS score VMWare likely believes it is easy to exploit.