VMware Addresses High-Severity SQL-Injection Vulnerability in Aria Automation Product

July 11, 2024

VMware, a company specializing in virtualization, has addressed a critical SQL-injection vulnerability in its Aria Automation solution. This vulnerability, known as CVE-2024-22280, carries a CVSSv3 base score of 8.5.

The Aria Automation solution, previously known as vRealize Automation, is a modern cloud automation platform designed to simplify and streamline the deployment, management, and governance of cloud infrastructure and applications. It offers a unified platform for automating tasks across various cloud environments, including VMware Cloud on AWS, VMware Cloud on Azure, and VMware Cloud Foundation.

The flaw could be exploited by an authenticated malicious user who could input specially crafted SQL queries to perform unauthorized read/write operations in the database. The advisory states, “An authenticated malicious user could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.”

This vulnerability affects VMware Aria Automation version 8.x, and Cloud Foundation versions 5.x and 4.x. VMware has credited Alexandre Lavoie and Felix Boulet from the Canadian Centre gouvernemental de cyberdéfense (CGCD) for privately reporting this issue. VMware has stated that there are no workarounds for this issue.

Earlier in January, VMware addressed another critical vulnerability, known as CVE-2023-34063 (with a CVSS score of 9.9), which also impacted its Aria Automation platform. This problem was a missing access control vulnerability that could be exploited by an authenticated attacker to gain unauthorized access to remote organizations and workflows.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.