VMware on Tuesday launched patches to handle a important safety vulnerability affecting its Carbon Black App Management product.
Tracked as CVE-2023-20858, the shortcoming carries a CVSS rating of 9.1 out of a most of 10 and impacts App Management variations 8.7.x, 8.8.x, and eight.9.x.
The virtualization companies supplier describes the difficulty as an injection vulnerability. Safety researcher Jari Jääskelä has been credited with discovering and reporting the bug.
“A malicious actor with privileged entry to the App Management administration console could possibly use specifically crafted enter permitting entry to the underlying server working system,” the corporate mentioned in an advisory.
VMware mentioned there aren’t any workarounds that resolve the flaw, necessitating that prospects replace to variations 8.7.8, 8.8.6, and eight.9.4 to mitigate potential dangers.
It is price stating that Jääskelä was additionally credited with reporting two important vulnerabilities in the identical product (CVE-2022-22951 and CVE-2022-22952, CVSS scores: 9.1) that had been resolved by VMware in March 2022.
Additionally mounted by the corporate is an XML Exterior Entity (XXE) Vulnerability (CVE-2023-20855, CVSS rating: 8.8) affecting vRealize Orchestrator, vRealize Automation, and Cloud Basis.
“A malicious actor, with non-administrative entry to vRealize Orchestrator, could possibly use specifically crafted enter to bypass XML parsing restrictions resulting in entry to delicate info or potential escalation of privileges,” VMware mentioned.
It is not unusual for risk actors to focus on VMware product vulnerabilities of their assaults so it is essential that customers set up the patches as quickly as potential.
