VMSA-2024-0017: VMware Aria Automation updates address SQL-injection vulnerability (CVE-2024-22280)

Vulnerability

VMware Aria Automation versions 8.x are affected by a SQL injection vulnerability (CVE-2024-22280) due to improper input validation. The product fails to sufficiently sanitize user-supplied input, allowing injection of SQL commands. The vulnerability exists in the application's handling of database queries. Affected versions include all 8.x releases prior to the fix; version 8.17.0 is unaffected. [1]

Exploitation

An authenticated attacker with valid credentials can exploit this vulnerability by sending specially crafted SQL queries to the application. No additional privileges or network position beyond authentication are required; the attacker can be a low-privileged user. The attack does not require user interaction. [1]

Impact

Successful exploitation allows the attacker to perform unauthorized read and write operations on the backend database. This can lead to disclosure of sensitive data, modification or deletion of database records, and potentially further compromise of the system. The CVSSv3 base score is 8.5, indicating high severity. [1]

Mitigation

Broadcom has released patches to remediate this vulnerability. The fixed version is available via KB325790. VMware Cloud Foundation (5.x, 4.x) is also affected and has the same fix. No workarounds are available. Users should apply the patches immediately to mitigate the risk. [1]