Advisory ID VMSA-2019-0017
Advisory Severity Moderate
CVSSv3 Range 4.3
Synopsis VMware SD-WAN by VeloCloud update addresses information disclosure vulnerability (CVE-2019-5533)
Issue Date 2019-10-16
Updated On 2019-10-16 (Initial Advisory)
CVE(s) CVE-2019-5533
1. Impacted Products
  • VMware SD-WAN by VeloCloud (VeloCloud)
2. Introduction

An information disclosure vulnerability in VeloCloud was reported to VMware. Patches are available to remediate this vulnerability in VeloCloud. VMware-hosted VeloCloud Orchestrators have been patched for this issue.

3. Velocloud information disclosure vulnerability (CVE-2019-5533)


The VeloCloud Orchestrator parameter authorization check mistakenly allows enterprise users to obtain information of Managed Service Provider accounts. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 4.3.


Known Attack Vectors:

An enterprise user who is authenticated to the VeloCloud Orchestrator is able to retrieve information of users  that are of type "MSP". Among this information is username, first and last name, phone numbers and e-mail address if present but no other personal data.



To remediate CVE-2019-5533 update VeloCloud Orchestrator to the version listed in the 'Fixed Version' column of the 'Resolution Matrix' found below. VMware-hosted VeloCloud Orchestrators have been patched for this issue.





Additional Documentations:




VMware would like to thank Silas Bärtsch of Compass Security for reporting this issue to us.


Response Matrix:

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documents
VeloCloud Orchestrator
None None

4. References:

Mitre CVE Dictionary Links:


Fixed Version(s) and Release Notes:


VeloCloud 3.3.1


5. Change Log:

2019-10-16 VMSA-2019-0017
Initial security advisory.


6. Contact


E-mail list for product security notifications and announcements:


This Security Advisory is posted to the following lists:



PGP key at:


VMware Security Advisories


VMware Security Response Policy


VMware Lifecycle Support Phases


VMware Security & Compliance Blog




Copyright 2019 VMware Inc. All rights reserved.


Sign up for Security Advisories

Enter your email address: