Vulnerabilites related to vmware - aria_automation
Vulnerability from fkie_nvd
Published
2024-07-11 05:15
Modified
2025-03-14 19:15
Severity ?
8.5 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Summary
VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | aria_automation | * | |
| vmware | cloud_foundation | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:aria_automation:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B4AF63A2-3926-40AD-B8EF-091B01ADE7F7",
"versionEndExcluding": "8.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3D725D84-6426-459F-9B49-ADE7A13FA19A",
"versionEndIncluding": "5.0",
"versionStartIncluding": "4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product.\u00a0An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database."
},
{
"lang": "es",
"value": "VMware Aria Automation no aplica la validaci\u00f3n de entrada correcta que permite la inyecci\u00f3n de SQL en el producto. Un usuario malintencionado autenticado podr\u00eda ingresar consultas SQL especialmente manipuladas y realizar operaciones de lectura/escritura no autorizadas en la base de datos."
}
],
"id": "CVE-2024-22280",
"lastModified": "2025-03-14T19:15:44.857",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-07-11T05:15:10.123",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24598"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24598"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-13 06:15
Modified
2025-07-11 14:27
Severity ?
Summary
VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | aria_automation | 8.18.0 | |
| vmware | aria_automation | 8.18.1 | |
| vmware | aria_automation | 8.18.1 | |
| vmware | cloud_foundation | * | |
| vmware | telco_cloud_platform | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.18.0:*:*:*:*:*:*:*",
"matchCriteriaId": "34CB9DCB-C7F6-48CE-B0CD-510B7E9E52D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.18.1:-:*:*:*:*:*:*",
"matchCriteriaId": "BA903210-107C-4005-9EBD-A62609D1081E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.18.1:patch1:*:*:*:*:*:*",
"matchCriteriaId": "5495556A-74A4-4FA2-B48F-55E6B0F5875D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E48E9C72-7BD4-4CC7-B44A-B5A017451552",
"versionEndIncluding": "5.2.1",
"versionStartIncluding": "4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:telco_cloud_platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3DCC8565-8FB0-4A1D-A761-48B21155A5F6",
"versionEndIncluding": "5.0.1",
"versionStartIncluding": "5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability.\u00a0A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL."
},
{
"lang": "es",
"value": "La automatizaci\u00f3n de VMware Aria contiene una vulnerabilidad de Cross Site Scripting (XSS) basada en DOM. Un atacante malicioso podr\u00eda aprovechar esta vulnerabilidad para robar el token de acceso de un usuario conectado al dispositivo de automatizaci\u00f3n VMware Aria, enga\u00f1\u00e1ndolo para que haga clic en una URL maliciosa."
}
],
"id": "CVE-2025-22249",
"lastModified": "2025-07-11T14:27:30.537",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 4.7,
"source": "security@vmware.com",
"type": "Secondary"
}
]
},
"published": "2025-05-13T06:15:36.403",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Vendor Advisory",
"Patch"
],
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-01-16 10:15
Modified
2025-06-20 17:15
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
8.3 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Summary
Aria Automation contains a Missing Access Control vulnerability.
An authenticated malicious actor may
exploit this vulnerability leading to unauthorized access to remote
organizations and workflows.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security@vmware.com | https://www.vmware.com/security/advisories/VMSA-2024-0001.html | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.vmware.com/security/advisories/VMSA-2024-0001.html | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| vmware | aria_automation | 8.11.0 | |
| vmware | aria_automation | 8.11.1 | |
| vmware | aria_automation | 8.11.2 | |
| vmware | aria_automation | 8.12.0 | |
| vmware | aria_automation | 8.12.1 | |
| vmware | aria_automation | 8.12.2 | |
| vmware | aria_automation | 8.13.0 | |
| vmware | aria_automation | 8.13.1 | |
| vmware | aria_automation | 8.14.0 | |
| vmware | aria_automation | 8.14.1 | |
| vmware | cloud_foundation | 4.0 | |
| vmware | cloud_foundation | 5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "183DC197-4FF2-4B84-B0E8-666E49CC9DDF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2849AEA0-B419-4096-B1D8-796686CE4C56",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.11.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CFFC657E-8780-46FE-AC01-22F8CFF196C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "91E0F535-5F30-495E-9974-2C2F65ED94EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.12.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C8B7BAD1-8544-491E-B41F-B4CD4E2B3754",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.12.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FF9CA281-ACE8-4768-A5EC-EB29111CD3EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AB173C24-3DDA-46CA-9B80-9A2C4EB73768",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.13.1:*:*:*:*:*:*:*",
"matchCriteriaId": "24986636-3F4B-46CF-A374-0D006216731F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.14.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FB6E2175-E4C2-46A7-9D37-E37A8239B16D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:aria_automation:8.14.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6F48CE31-68D2-4FE8-9BB2-ADC85259552A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "38EB0C0C-56CF-4A8F-A36F-E0E180B9059E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:vmware:cloud_foundation:5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D3D640F9-7733-415F-8BA7-DC41658EDC76",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Aria Automation contains a Missing Access Control vulnerability.\n\n\nAn authenticated malicious actor may \nexploit this vulnerability leading to unauthorized access to remote \norganizations and workflows.\n\n"
},
{
"lang": "es",
"value": "Aria Automation contiene una vulnerabilidad de control de acceso faltante. Un actor malicioso autenticado puede explotar esta vulnerabilidad y provocar acceso no autorizado a organizaciones y workflows remotos."
}
],
"id": "CVE-2023-34063",
"lastModified": "2025-06-20T17:15:30.883",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security@vmware.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-16T10:15:07.347",
"references": [
{
"source": "security@vmware.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.vmware.com/security/advisories/VMSA-2024-0001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://www.vmware.com/security/advisories/VMSA-2024-0001.html"
}
],
"sourceIdentifier": "security@vmware.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-862"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
CVE-2025-22249 (GCVE-0-2025-22249)
Vulnerability from cvelistv5
Published
2025-05-13 05:08
Modified
2025-05-13 13:49
Severity ?
VLAI Severity ?
EPSS score ?
Summary
VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability. A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | VMware | Vmware Aria Automation |
Version: 8.18.x < 8.18.1 patch2 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22249",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T13:49:44.097131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T13:49:59.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"any"
],
"product": "Vmware Aria Automation",
"vendor": "VMware",
"versions": [
{
"lessThan": "8.18.1 patch2",
"status": "affected",
"version": "8.18.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"any"
],
"product": "VMware Cloud Foundation",
"vendor": "VMware",
"versions": [
{
"lessThan": "8.18.1 patch 2",
"status": "affected",
"version": "5.x",
"versionType": "custom"
},
{
"lessThan": "8.18.1 patch 2",
"status": "affected",
"version": "4.x",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"platforms": [
"any"
],
"product": "VMware Telco Cloud Platform",
"vendor": "VMware",
"versions": [
{
"lessThan": "8.18.1 patch 2",
"status": "affected",
"version": "5.x",
"versionType": "custom"
}
]
}
],
"datePublic": "2025-05-12T10:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability.\u0026nbsp;\u003cp\u003eA malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL.\u003c/p\u003e\u003cbr\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "VMware Aria automation contains a DOM based Cross-Site Scripting (XSS) vulnerability.\u00a0A malicious actor may exploit this issue to steal the access token of a logged in user of VMware Aria automation appliance by tricking the user into clicking a malicious crafted payload URL."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T05:08:03.265Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25711"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VMSA-2025-0008: VMware Aria automation updates address a DOM based Cross-site scripting vulnerability (CVE-2025-22249)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2025-22249",
"datePublished": "2025-05-13T05:08:03.265Z",
"dateReserved": "2025-01-02T04:30:19.929Z",
"dateUpdated": "2025-05-13T13:49:59.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-34063 (GCVE-0-2023-34063)
Vulnerability from cvelistv5
Published
2024-01-16 09:10
Modified
2025-06-20 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- VMware Aria Automation Missing Access Control Vulnerability
Summary
Aria Automation contains a Missing Access Control vulnerability.
An authenticated malicious actor may
exploit this vulnerability leading to unauthorized access to remote
organizations and workflows.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| N/A | VMware Aria Automation, VMware Cloud Foundation |
Version: Aria Automation 8.14.1, Aria Automation 8.14.0, Aria Automation 8.13.1, Aria Automation 8.13.0, Aria Automation 8.12.2, Aria Automation 8.12.1, Aria Automation 8.12.0, Aria Automation 8.11.2, Aria Automation 8.11.1, Aria Automation 8.11.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:01:53.537Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.vmware.com/security/advisories/VMSA-2024-0001.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-34063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-01-16T20:17:51.196207Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-20T17:02:26.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VMware Aria Automation, VMware Cloud Foundation",
"vendor": "N/A",
"versions": [
{
"status": "affected",
"version": "Aria Automation 8.14.1, Aria Automation 8.14.0, Aria Automation 8.13.1, Aria Automation 8.13.0, Aria Automation 8.12.2, Aria Automation 8.12.1, Aria Automation 8.12.0, Aria Automation 8.11.2, Aria Automation 8.11.1, Aria Automation 8.11.0 "
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\nAria Automation contains a Missing Access Control vulnerability.\n\n\nAn authenticated malicious actor may \nexploit this vulnerability leading to unauthorized access to remote \norganizations and workflows.\n\n"
}
],
"value": "Aria Automation contains a Missing Access Control vulnerability.\n\n\nAn authenticated malicious actor may \nexploit this vulnerability leading to unauthorized access to remote \norganizations and workflows.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "VMware Aria Automation Missing Access Control Vulnerability",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-16T09:10:09.738Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://www.vmware.com/security/advisories/VMSA-2024-0001.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2023-34063",
"datePublished": "2024-01-16T09:10:09.738Z",
"dateReserved": "2023-05-25T17:21:56.204Z",
"dateUpdated": "2025-06-20T17:02:26.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22280 (GCVE-0-2024-22280)
Vulnerability from cvelistv5
Published
2024-07-11 04:39
Modified
2025-03-14 18:42
Severity ?
VLAI Severity ?
EPSS score ?
Summary
VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| VMware | VMware Aria Automation |
Version: 8.x |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-12T14:47:13.468275Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-14T18:42:23.052Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.225Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24598"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VMware Aria Automation",
"vendor": "VMware",
"versions": [
{
"lessThan": "8.17.0",
"status": "affected",
"version": "8.x",
"versionType": "8.17.0"
}
]
}
],
"datePublic": "2024-07-10T15:15:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eVMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAn authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database.\u003c/span\u003e\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product.\u00a0An authenticated malicious user could enter specially crafted SQL queries and perform unauthorised read/write operations in the database."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-11T04:39:09.353Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24598"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "VMSA-2024-0017: VMware Aria Automation updates address SQL-injection vulnerability (CVE-2024-22280)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2024-22280",
"datePublished": "2024-07-11T04:39:09.353Z",
"dateReserved": "2024-01-08T18:43:18.959Z",
"dateUpdated": "2025-03-14T18:42:23.052Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}