CVE-2023-34058

Publication date 26 October 2023

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

7.5 · High

Score breakdown

VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .

Status

Package Ubuntu Release Status
open-vm-tools 24.10 oracular
Not affected
24.04 LTS noble
Not affected
23.10 mantic
Fixed 2:12.3.0-1ubuntu0.1
23.04 lunar
Fixed 2:12.1.5-3ubuntu0.23.04.3
22.04 LTS jammy
Fixed 2:12.1.5-3~ubuntu0.22.04.4
20.04 LTS focal
Fixed 2:11.3.0-2ubuntu0~ubuntu20.04.7
18.04 LTS bionic
16.04 LTS xenial
14.04 LTS trusty Ignored end of ESM support, was needs-triage

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Severity score breakdown

Parameter Value
Base score 7.5 · High
Attack vector Adjacent
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

    • USN-6463-1
    • Open VM Tools vulnerabilities
    • 31 October 2023
    • USN-6463-2
    • Open VM Tools vulnerabilities
    • 6 December 2023

Other references