CVE-2024-22245

Arbitrary Authentication Relay and Session Hijack vulnerabilities in the deprecated VMware Enhanced Authentication Plug-in (EAP) could allow a malicious actor that could trick a target domain user with EAP installed in their web browser into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs).

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://www.vmware.com/security/advisories/VMSA-2024-0003.html

Configurations

No configuration.

History

No history.

Information

Published : 2024-02-20 18:15

Updated : 2024-05-17 02:36

NVD link : CVE-2024-22245

Mitre link : CVE-2024-22245

CVE.ORG link : CVE-2024-22245

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

9.6 /10