Broadcom-owned VMWare on Wednesday pushed out patches for a high-risk SQL-injection vulnerability in its Aria Automation product and warned that an authenticated malicious user could target the flaw to manipulate databases.
The vulnerability, tracked as CVE-2024-22280, allows for unauthorized read and write operations in the database through specially crafted SQL queries, VMWare said in an advisory with a “high-severity” rating
The bug carries a CVSS severity score of 8.5/10.
Affected products include VMware Aria Automation version 8.x, and VMware Cloud Foundation versions 5.x and 4.x.
From the VMware advisory:
“VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.”
VMware said the bug was privately reported by researchers at Quebec’s Centre Gouvernemental de Cyberdéfense (CGCD).
Related: VMware vCenter Flaw So Critical, Patches Released for EOL Products
Related: VMware Patches Major Security Flaws in Network Monitoring Suite
Related: VMware Confirms Exploits Hitting Just-Patched Security Bug
Related: Exploit Published for Major Flaw in VMware Logging Software