Headline
CVE-2022-22977: VMSA-2022-0015
VMware Tools for Windows(12.0.0, 11.x.y and 10.x.y) contains an XML External Entity (XXE) vulnerability. A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.
Advisory ID: VMSA-2022-0015
CVSSv3 Range: 5.8
Issue Date: 2022-05-24
Updated On: 2022-05-24 (Initial Advisory)
CVE(s): CVE-2022-22977
Synopsis: VMware Tools for Windows update addresses an XML External Entity (XXE) vulnerability (CVE-2022-22977)
Share this page on social media
Sign up for Security Advisories
****1. Impacted Products****
- VMware Tools for Windows
****2. Introduction****
An XML External Entity (XXE) vulnerability in VMware Tools for Windows was privately reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
****3. XML External Entity (XXE) vulnerability (CVE-2022-22977)****
VMware Tools for Windows contains an XML External Entity (XXE) vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.8.
A malicious actor with non-administrative local user privileges in the Windows guest OS, where VMware Tools is installed, may exploit this issue leading to a denial-of-service condition or unintended information disclosure.
To remediate CVE-2022-22977 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.
VMware would like to thank ycdxsb of VARAS@IIE, Jake Baines of Rapid7 and Sascha Meyer of GAI NetConsult GmbH for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware Tools for Windows
12.0.0, 11.x.y and 10.x.y
Windows
CVE-2022-22977
5.8
moderate
12.0.5
None
None
****4. References****
****5. Change Log****
**2022-05-24 VMSA-2022-0015
**Initial security advisory.
****6. Contact****