First published: Tue Feb 21 2023(Updated: )
VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.
Credit: security@vmware.com
Affected Software | Affected Version | How to fix |
---|---|---|
VMware vRealize Automation | >=8.0<8.11.1 | |
VMware vRealize Orchestrator | >=8.0<8.11.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-20855 is a vulnerability in VMware vRealize Orchestrator that allows a malicious actor to bypass XML parsing restrictions and gain unauthorized access to sensitive information or potentially elevate privileges.
The severity of CVE-2023-20855 is rated as high, with a CVSS score of 8.8.
VMware vRealize Automation and VMware vRealize Orchestrator versions between 8.0 and 8.11.1 are affected by CVE-2023-20855.
A malicious actor with non-administrative access to vRealize Orchestrator can exploit CVE-2023-20855 by using specially crafted input to bypass XML parsing restrictions.
Yes, VMware has provided patches to address the CVE-2023-20855 vulnerability. More information can be found in the official VMware security advisory.