VMware on Tuesday introduced patches to handle a critical security vulnerability affecting its Carbon Black Application Management product or service.
Tracked as CVE-2023-20858, the shortcoming carries a CVSS rating of 9.1 out of a utmost of 10 and impacts Application Command versions 8.7.x, 8.8.x, and 8.9.x.
The virtualization companies provider describes the issue as an injection vulnerability. Security researcher Jari Jääskelä has been credited with identifying and reporting the bug.
“A destructive actor with privileged access to the Application Command administration console may perhaps be ready to use specifically crafted input allowing for access to the fundamental server functioning system,” the business stated in an advisory.
VMware mentioned there are no workarounds that resolve the flaw, necessitating that customers update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate probable pitfalls.
It really is value pointing out that Jääskelä was also credited with reporting two critical vulnerabilities in the same solution (CVE-2022-22951 and CVE-2022-22952, CVSS scores: 9.1) that had been solved by VMware in March 2022.
Also preset by the company is an XML Exterior Entity (XXE) Vulnerability (CVE-2023-20855, CVSS score: 8.8) affecting vRealize Orchestrator, vRealize Automation, and Cloud Foundation.
“A malicious actor, with non-administrative access to vRealize Orchestrator, may perhaps be capable to use specifically crafted enter to bypass XML parsing constraints leading to access to sensitive information or doable escalation of privileges,” VMware said.
It really is not unusual for threat actors to concentrate on Fortinet merchandise vulnerabilities in their assaults so it really is essential that users install the patches as before long as feasible.
Identified this report interesting? Follow us on Twitter and LinkedIn to examine far more distinctive information we publish.
Some parts of this article are sourced from: