Security News > 2023 > February > VMware patches critical injection flaw in Carbon Black App Control (CVE-2023-20858)
VMware has fixed a critical vulnerability in Carbon Black App Control, its enterprise solution for preventing untrusted software from executing on critical systems and endpoints.
Even though the flaw has been privately reported to VMware, and there is no mention of it being actively exploited, admins are urged to upgrade to a fixed version as soon as possible.
To exploit CVE-2023-20858 - an injection vulnerability that could allow a malicious actor to gain access to the underlying server operating system - the attacker must have privileged access to the App Control administration console and use specially crafted input.
Flagged by bug hunter Jari Jääskelä, the vulnerability has been fixed in Carbon Black App Control versions 8.9.4, 8.8.6 and 8.7.8.
Those updates fix CVE-2023-20855, an "Important" XML External Entity vulnerability.
"A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges," the company explained.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-02-22 | CVE-2023-20858 | Injection vulnerability in VMWare Carbon Black APP Control VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability. | 7.2 |
2023-02-22 | CVE-2023-20855 | XXE vulnerability in VMWare Vrealize Automation and Vrealize Orchestrator VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. | 8.8 |