Security News > 2023 > February > VMware warns admins of critical Carbon Black App Control flaw
VMware has released a critical security upgrade to address a critical injection vulnerability that impacts several versions of Carbon Black App Control for Windows.
Carbon Black App Control is a suite designed to help large organizations ensure that its critical endpoints run only trusted and approved software.
"A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system," reads VMware's advisory.
CVE-2023-20858 impacts VMware Carbon Black App Control for Windows version 8.7.7 and older, version 8.8.5 and older, and version 8.9.3 and older.
On Tuesday, VMware also patched CVE-2023-20855, a high-severity XXE injection flaw that could enable an attacker to bypass XML parsing restrictions to access sensitive information or perform privilege escalation.
CVE-2023-20855 impacts VMware Orchestrator below v8.11.1, vRealize Automation below v8.11.1, and VMware Cloud Foundation 4.x..
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-02-22 | CVE-2023-20858 | Injection vulnerability in VMWare Carbon Black APP Control VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability. | 7.2 |
2023-02-22 | CVE-2023-20855 | XXE vulnerability in VMWare Vrealize Automation and Vrealize Orchestrator VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. | 8.8 |