Security News > 2023 > February > VMware warns admins of critical Carbon Black App Control flaw

VMware warns admins of critical Carbon Black App Control flaw
2023-02-22 17:12

VMware has released a critical security upgrade to address a critical injection vulnerability that impacts several versions of Carbon Black App Control for Windows.

Carbon Black App Control is a suite designed to help large organizations ensure that its critical endpoints run only trusted and approved software.

"A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system," reads VMware's advisory.

CVE-2023-20858 impacts VMware Carbon Black App Control for Windows version 8.7.7 and older, version 8.8.5 and older, and version 8.9.3 and older.

On Tuesday, VMware also patched CVE-2023-20855, a high-severity XXE injection flaw that could enable an attacker to bypass XML parsing restrictions to access sensitive information or perform privilege escalation.

CVE-2023-20855 impacts VMware Orchestrator below v8.11.1, vRealize Automation below v8.11.1, and VMware Cloud Foundation 4.x..


News URL

https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-critical-carbon-black-app-control-flaw/

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-02-22 CVE-2023-20858 Injection vulnerability in VMWare Carbon Black APP Control
VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability.
network
low complexity
vmware CWE-74
7.2
7.2
2023-02-22 CVE-2023-20855 XXE vulnerability in VMWare Vrealize Automation and Vrealize Orchestrator
VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability.
network
low complexity
vmware CWE-611
8.8
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591