CVE-2020-3952: VMware vCenter Server LDAP Broken Access Control

日期: 2025-08-01 | 影响软件: VMware vCenter Server | POC: 已公开

漏洞描述

Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.

PoC代码[已公开]

id: CVE-2020-3952

info:
  name: VMware vCenter Server LDAP Broken Access Control
  author: 0x_Akoko
  severity: critical
  description: |
    Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.
  impact: |
    Unauthorized users may access sensitive functions, potentially leading to privilege escalation or data exposure.
  remediation: |
    Apply the latest security patches and updates provided by VMware to address access control issues.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2020-3952
    - https://www.vmware.com/security/advisories/VMSA-2020-0006.html
    - https://github.com/guardicore/vmware_vcenter_cve_2020_3952
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-3952
    cwe-id: CWE-306
    epss-score: 0.94355
    epss-percentile: 0.99955
    cpe: cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*
  metadata:
    verified: false
    max-request: 1
    vendor: vmware
    product: vcenter_server
  tags: cve,cve2020,vmware,vcenter,ldap,auth-bypass,passive,kev,vkev

http:
  - raw:
      - |
        POST /sdk/ HTTP/1.1
        Host: {{Hostname}}
        Content-Type: text/xml
        SOAPAction: "urn:vim25/6.5"

        <?xml version="1.0" encoding="UTF-8"?>
        <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
           <soap:Header>
              <operationID>00000001-00000001</operationID>
           </soap:Header>
           <soap:Body>
              <RetrieveServiceContent xmlns="urn:internalvim25">
                 <_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
              </RetrieveServiceContent>
           </soap:Body>
        </soap:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'RetrieveServiceContentResponse'
          - 'urn:vim'
        condition: or

      - type: word
        part: content_type
        words:
          - "text/xml"

      - type: status
        status:
          - 200

      - type: dsl
        dsl:
          - compare_versions(version, '< 6.7.0')

    extractors:
      - type: regex
        part: body
        name: version
        group: 1
        regex:
          - "<version>([^<]+)</version>"
# digest: 490a00463044022074c2dac8da2bb064648fde38dcd5156590c886cbd144b857cccf70b631b76609022010569025b707a8291ef1c30beb257177fdc4b7a17f901339aeb6c0547db48bb7:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-3952.yaml

相关漏洞推荐