cbcvebase.
CVE-2022-31711
published 2023-01-26

CVE-2022-31711: VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application…

PriorityP276medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
21.66%
97.3th percentile
VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication.

Affected

2 ranges
VendorProductVersion rangeFixed in
vmwarevrealize_log_insight3.0 – 4.8
vmwarevrealize_log_insight>= 8.0.0 < 8.10.28.10.2

Detection & IOCsextracted from sources · hover to see the quote

commandRemotePakDownloadCommand
commandGetConfigRequest
commandPakUpgradeCommand
sigma
VMware vRealize Log Insight Information Disclosure (CVE-2022-31711)
  • Detect unauthenticated calls to the Thrift RPC service on vRealize Log Insight, specifically GetConfigRequest (node token harvesting) followed by RemotePakDownloadCommand and PakUpgradeCommand sequences.
  • Look for newly created JSP files under pre-authenticated API endpoint locations on vRealize Log Insight, which would indicate successful PAK archive extraction as part of RCE exploitation.
  • CVE-2022-31711 is chained with CVE-2022-31706 (directory traversal) and CVE-2022-31704 (broken access control); detect any of these in combination as they form the VMSA-2023-0001 exploit chain enabling unauthenticated RCE.
  • Monitor for cron job creation on vRealize Log Insight appliances, as the default PoC payload writes a cron job to establish a reverse shell.
  • ·Exploitation requires the attacker to already have a foothold on the network, as vRealize Log Insight is unlikely to be internet-exposed; this CVE is most relevant as a lateral movement enabler.
  • ·The Metasploit module targets vRealize Log Insight v8.x specifically; version fingerprinting via the 'version' field in the HTTP response body can confirm exposure.
  • ·CVE-2023-34051 is a bypass for the original VMSA-2023-0001 exploit chain (which includes CVE-2022-31711); patching VMSA-2023-0001 alone is insufficient if CVE-2023-34051 is unpatched.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.