CVE-2023-20855

CWE-611 — XML External Entity (XXE)4 documents4 sources

Severity

8.8HIGH

EPSS

0.9%

top 23.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vrealize Automation Vmware Vrealize Orchestrator

Timeline

PublishedFeb 22

Description

VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDvmware/vrealize_orchestrator8.0 — 8.11.1

▶NVDvmware/vrealize_automation8.0 — 8.11.1

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-3hq4-5qpg-7776: VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability↗2023-02-22

▶

CVEList

CVE-2023-20855: VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability↗2023-02-21

▶

📋Vendor Advisories

VMware

VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855)↗2023-02-21

▶