Lucene search

VmwareCVE-2024-22280

HistoryJul 11, 2024 - 5:15 a.m.

CVE-2024-22280

2024-07-1105:15:10

CWE-89

vmware

web.nvd.nist.gov

vmware

aria automation

sql-injection

vulnerability

database

input validation

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

16.6%

JSON

VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database.

Affected configurations

Nvd

Node

vmwarearia_automationRange<8.17.0

vmwarecloud_foundationRange4.0–5.0

VendorProductVersionCPE
vmwarearia_automation*cpe:2.3:a:vmware:aria_automation:*:*:*:*:*:*:*:*
vmwarecloud_foundation*cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vmware	aria_automation	*	cpe:2.3:a:vmware:aria_automation::::::::
vmware	cloud_foundation	*	cpe:2.3:a:vmware:cloud_foundation::::::::

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "VMware Aria Automation",
    "vendor": "VMware",
    "versions": [
      {
        "lessThan": "8.17.0",
        "status": "affected",
        "version": "8.x",
        "versionType": "8.17.0"
      }
    ]
  }
]

References

support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24598

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

AI Score

9.4

Confidence

High

EPSS

0.001

Percentile

16.6%

JSON

Related for CVE-2024-22280