Virtualization technology giant VMware has released a major security fix to cover a critical vulnerability in its enterprise-facing Carbon Black App Control product. The vulnerability, tracked as CVE-2023-20858, carries a CVSS severity score of 9.1 out of 10 and allows hackers to launch injection exploits to gain full access to the underlying server operating system.
"A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system," said VMware. The issue affects App Control versions 8.7.x, 8.8.x and 8.9.x running on Microsoft’s Windows operating system. It was privately reported by Jari Jääskelä, a security researcher active on the HackerOne bug bounty platform.
VMware also issued an important-severity advisory to warn of a privilege escalation and information disclosure flaw in its vRealize Orchestrator product. "A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges," the company said.