<\/div>\n

VMware addressed a critical SQL-Injection vulnerability, tracked as CVE-2024-22280, impacting Aria Automation.<\/h2>\n\n\n\n

Virtualization giant VMware addressed a high-severity SQL-injection vulnerability, tracked as CVE-2024-22280 (CVSSv3 base score of\u00a08.5), in its Aria Automation solution. <\/p>\n\n\n\n

VMware Aria Automation (formerly\u00a0vRealize Automation<\/a>) is a modern cloud automation platform that simplifies and streamlines the deployment, management, and governance of cloud infrastructure and applications. It provides a unified platform for automating tasks across multiple cloud environments, including VMware Cloud on AWS, VMware Cloud on Azure, and VMware Cloud Foundation.<\/gwmw><\/gwmw><\/gwmw><\/gwmw><\/p>\n\n\n\n

An authenticated malicious user\u00a0can exploit the flaw by entering specially crafted SQL queries and perform unauthorised read\/write operations in the database.<\/p>\n\n\n\n

“An authenticated malicious user\u00a0could enter specially crafted SQL queries and perform unauthorised read\/write operations in the database.” read the advisory<\/a>.<\/p>\n\n\n\n

The vulnerability impacts VMware Aria Automation<\/a> version 8.x, and Cloud Foundation versions 5.x and 4.x.\u00a0<\/p>\n\n\n\n

VMware acknowledged Alexandre Lavoie and Felix Boulet with the Canadian Centre gouvernemental de cyberd\u00e9fense (CGCD)\u00a0for privately reporting this issue.<\/p>\n\n\n\n

The company states that there are no workarounds for this issue.<\/p>\n\n\n\n

In January, VMware addressed<\/a> a critical vulnerability, tracked as\u00a0CVE-2023-34063<\/a>\u00a0(CVSS score 9.9), that impacted its Aria Automation platform.<\/p>\n\n\n\n

The issue is a missing access control vulnerability that can be exploited by an authenticated attacker actor to gain unauthorized access to remote organizations and workflows.<\/p>\n\n\n\n

Pierluigi\u00a0Paganini<\/strong><\/a><\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, VMware<\/a>)<\/strong><\/gwmw><\/p>\n\n\n\n

<\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"

VMware addressed a critical SQL-Injection vulnerability, tracked as CVE-2024-22280, impacting Aria Automation. Virtualization giant VMware addressed a high-severity SQL-injection vulnerability, tracked as CVE-2024-22280 (CVSSv3 base score of\u00a08.5), in its Aria Automation solution. VMware Aria Automation (formerly\u00a0vRealize Automation) is a modern cloud automation platform that simplifies and streamlines the deployment, management, and governance of cloud infrastructure […]<\/p>\n","protected":false},"author":1,"featured_media":116235,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,55],"tags":[4112,9508,9506,10918,687,841,1533,15212,5034,14828],"class_list":["post-165560","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-security","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-pierluigi-paganini","tag-security-affairs","tag-security-news","tag-sql-injection-2","tag-vmware","tag-vmware-aria-automation"],"yoast_head":"\n