CVE-2022-22948: 
vSphere vCenter Server vulnerability analysis and mitigation

CVE-2022-22948 is an information disclosure vulnerability discovered in VMware vCenter Server. The vulnerability was privately reported to VMware by Yuval Lazar of Pentera and was publicly disclosed on March 29, 2022. The vulnerability affects VMware vCenter Server and VMware Cloud Foundation products, specifically impacting Virtual Appliance versions of vCenter Server 6.5, 6.7, and 7.0, while Windows versions remain unaffected (VMware Advisory).

The vulnerability stems from improper permission settings of files in vCenter Server. It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-276 (Incorrect Default Permissions) (NVD).

When exploited, this vulnerability allows a malicious actor with non-administrative access to the vCenter Server to gain access to sensitive information. The vulnerability could potentially be used as part of an exploit chain to achieve full control of an organization's ESXi servers when combined with other vulnerabilities (Tenable).

VMware has released patches to address this vulnerability. The fixed versions include vCenter Server 7.0 U3d, 6.7 U3p, and 6.5 U3r. For Cloud Foundation, versions 4.4.1 and 3.11 contain the fixes. No workarounds are available, making patch installation the only remediation option (VMware Advisory).