CVE-2023-20855

2023-02-2200:15:11

CWE-611

[email protected]

web.nvd.nist.gov

vmware

vrealize orchestrator

xxe

vulnerability

nvd

cve-2023-20855

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.6%

JSON

VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.

Affected configurations

NVD

Node

vmwarevrealize_automationRange8.0–8.11.1

vmwarevrealize_orchestratorRange8.0–8.11.1

CPENameOperatorVersion
vmware:vrealize_automationvmware vrealize automationlt8.11.1
vmware:vrealize_orchestratorvmware vrealize orchestratorlt8.11.1

CPE	Name	Operator	Version
vmware:vrealize_automation	vmware vrealize automation	lt	8.11.1
vmware:vrealize_orchestrator	vmware vrealize orchestrator	lt	8.11.1

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "VMware vRealize Orchestrator, VMware vRealize Automation, VMware Cloud Foundation",
    "versions": [
      {
        "version": "VMware vRealize Orchestrator 8.x",
        "status": "affected"
      }
    ]
  }
]