TLDR:
- VMware is urging users to uninstall the deprecated Enhanced Authentication Plugin (EAP) due to a critical security flaw.
- The flaw, CVE-2024-22245, allows arbitrary authentication relay, putting Active Directory at risk.
VMware has discovered a critical security flaw in the deprecated Enhanced Authentication Plugin (EAP), tracked as CVE-2024-22245 with a CVSS score of 9.6. The vulnerability allows for arbitrary authentication relay, posing a risk to Active Directory. EAP, which has been deprecated since March 2021, is a software package used for direct login to vSphere’s management interfaces through a web browser. Additionally, a session hijack flaw (CVE-2024-22250, CVSS score: 7.8) was also found in the EAP tool. Users are advised to remove the plugin to mitigate potential threats. Alongside this, SonarSource disclosed cross-site scripting flaws in Joomla! and vulnerabilities in the Apex programming language developed by Salesforce. These vulnerabilities underline the importance of software security and timely updates.