The tunnel-server component of the VMware View Connection Server fails to ensure that each requested URL refers to a file that is both located within the web root of the server and is of a type that is allowed to be served. A remote unauthenticated attacker can use this weakness to retrieve arbitrary files from the affected server's underlying root file system. This can be accomplished by submitting URL encoded HTTP GET requests that traverse out of the affected subdirectory. Vulnerable versions are VMware View 5.x prior to version 5.1.2 and VMware View 4.x prior to version 4.6.2.
14e01b0fa8f4481ea0b38ddb0478d93a93097b2da5dc0b8af3f6b84b2bbe854a