VMware released a patch on Tuesday to address a critical security vulnerability affecting its Carbon Black App Control product.
tracked as CVE-2023-20858the shortcoming has a CVSS score of 9.1 out of 10 maximum and affects App Control versions 8.7.x, 8.8.x, and 8.9.x.
Virtualization service providers describe this issue as an injection vulnerability. Security researcher Jari Jääskelä is credited with discovering and reporting this bug.
“A malicious actor with privileged access to the App Control management console could use specially crafted input to grant access to the underlying server operating system,” the company said in an advisory. said in
According to VMware, there are no workarounds to resolve this vulnerability and customers should update to versions 8.7.8, 8.8.6, and 8.9.4 to mitigate the potential risk.
Jääskelä is also credited for reporting two critical vulnerabilities in the same product (CVE-2022-22951 and CVE-2022-22952, CVSS score: 9.1) that were resolved by VMware in March 2022 is worth pointing out.
The company also fixed an XML External Entity (XXE) vulnerability (CVE-2023-20855, CVSS score: 8.8) affecting vRealize Orchestrator, vRealize Automation, and Cloud Foundation.
“A malicious actor with non-administrative access to vRealize Orchestrator could use specially crafted input to bypass XML parsing restrictions that could lead to access to sensitive information or escalation of privileges. said VMware.
Attackers often target vulnerabilities in Fortinet products in their attacks. Therefore, it is important that users install the patch as soon as possible.
