VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.
References
Link | Resource |
---|---|
https://www.vmware.com/security/advisories/VMSA-2023-0005.html | Patch Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
03 Mar 2023, 14:04
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-611 | |
CPE | cpe:2.3:a:vmware:vrealize_automation:*:*:*:*:*:*:*:* cpe:2.3:a:vmware:vrealize_orchestrator:*:*:*:*:*:*:*:* |
|
References | (MISC) https://www.vmware.com/security/advisories/VMSA-2023-0005.html - Patch, Vendor Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 8.8 |
First Time |
Vmware vrealize Automation
Vmware Vmware vrealize Orchestrator |
22 Feb 2023, 00:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-02-22 00:15
Updated : 2023-12-10 14:48
NVD link : CVE-2023-20855
Mitre link : CVE-2023-20855
CVE.ORG link : CVE-2023-20855
JSON object : View
Products Affected
vmware
- vrealize_automation
- vrealize_orchestrator
CWE
CWE-611
Improper Restriction of XML External Entity Reference