CVE-2022-31704

2023-01-2621:15:37

[email protected]

web.nvd.nist.gov

115

vrealize log insight

cve-2022-31704

broken access control

vulnerability

remote code execution

nvd

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

74.6%

JSON

The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution.

Affected configurations

NVD

Node

vmwarevrealize_log_insightRange3.0–4.8

vmwarevrealize_log_insightRange8.0.0–8.10.2

CPENameOperatorVersion
vmware:vrealize_log_insightvmware vrealize log insightle4.8
vmware:vrealize_log_insightvmware vrealize log insightlt8.10.2

CPE	Name	Operator	Version
vmware:vrealize_log_insight	vmware vrealize log insight	le	4.8
vmware:vrealize_log_insight	vmware vrealize log insight	lt	8.10.2

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "vRealize Log Insight (vRLI)",
    "versions": [
      {
        "version": "vRealize Log Insight 8.10.1 and prior",
        "status": "affected"
      }
    ]
  }
]