CVE-2023-20900

2023-08-3109:45:43

vmware

www.cve.org

vmware

vsphere

guest operation privileges

guest alias

privilege escalation

7.1 High

CVSS3

Attack Vector

ADJACENT

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

45.0%

JSON

A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "VMware Tools",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "12.x.x"
      },
      {
        "status": "affected",
        "version": "11.x.x"
      },
      {
        "status": "affected",
        "version": "10.3.x"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "VMware Tools",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "10.3.x"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "VMware Tools (open-vm-tools)",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "12.x.x"
      },
      {
        "status": "affected",
        "version": "11.x.x"
      },
      {
        "status": "affected",
        "version": "10.3.x"
      }
    ]
  }
]