CVE-2024-22270: 
NixOS vulnerability analysis and mitigation

VMware Workstation and Fusion contain an information disclosure vulnerability (CVE-2024-22270) in the Host Guest File Sharing (HGFS) functionality. The vulnerability was discovered and reported by Gwangun Jung (@pr0ln) & Junoh Lee (@bbbig12) of Theori (@theori_io) during the Pwn2Own competition. The issue was disclosed on May 14, 2024, affecting VMware Workstation 17.x and Fusion 13.x versions (VMware Advisory).

The vulnerability has been assigned a CVSSv3 base score of 7.1 (Important severity) with the following vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. This indicates that the vulnerability requires local access, has low attack complexity, requires no privileges, needs no user interaction, has a changed scope, and can result in high confidentiality impact without affecting integrity or availability (VMware Advisory).

The vulnerability allows a malicious actor with local administrative privileges on a virtual machine to read privileged information contained in hypervisor memory from a virtual machine. This could potentially expose sensitive data stored in the hypervisor's memory space (VMware Advisory).

VMware has released patches to address this vulnerability. Users should update to VMware Workstation version 17.5.2 or VMware Fusion version 13.5.2. No workarounds are available for this vulnerability, making the update the only solution to address the security issue (VMware Advisory).