VMware recently addressed a critical SQL injection vulnerability, known as CVE-2024-22280, in its Aria Automation product. This issue could allow an authenticated malicious user to execute specially crafted SQL queries and carry out unauthorized read/write operations on the database.
Aria Automation, previously known as vRealize Automation, is a cloud automation platform that facilitates the deployment and management of cloud infrastructure and applications across various cloud environments. The vulnerable versions include VMware Aria Automation version 8.x and Cloud Foundation versions 5.x and 4.x.
The company credited Alexandre Lavoie and Felix Boulet from the Canadian Centre gouvernemental de cyberdéfense (CGCD) for privately disclosing the vulnerability. VMware stated that there are no workarounds for this particular issue.
In a previous instance, VMware addressed another critical vulnerability, designated as CVE-2023-34063, which received a high CVSS score of 9.9. This vulnerability involved a missing access control flaw that could be exploited by an authenticated attacker to gain unauthorized access to remote organizations and workflows.
With this recent fix, VMware continues to enhance the security posture of its products, ensuring the protection of customer data and infrastructure. Users are advised to update their Aria Automation installations to the latest patched versions to mitigate the risk associated with these vulnerabilities.
For more cybersecurity news and updates, follow Pierluigi Paganini on Twitter: @securityaffairs and stay informed about the latest developments in the security landscape. Stay tuned to stay ahead of emerging threats and protect your digital assets effectively.
(Source: Security Affairs)
Article Source
https://securityaffairs.com/165560/security/VMware-aria-automation-critical-sql-injection.html?amp
