VMware Patches Critical SQL-Injection Flaw in Aria Automation

Share This Post

Broadcom-owned VMWare on Wednesday pushed out patches for a high-risk SQL-injection vulnerability in its Aria Automation product and warned that an authenticated malicious user could target the flaw to manipulate databases.

The vulnerability, tracked as CVE-2024-22280, allows for unauthorized read and write operations in the database through specially crafted SQL queries, VMWare said in an advisory with a “high-severity” rating

The bug carries a CVSS severity score of 8.5/10.

Affected products include VMware Aria Automation version 8.x, and VMware Cloud Foundation versions 5.x and 4.x. 

From the VMware advisory:

“VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product.  An authenticated malicious user could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.”

VMware said the bug was privately reported by researchers at Quebec’s Centre Gouvernemental de Cyberdéfense (CGCD).

Related: VMware vCenter Flaw So Critical, Patches Released for EOL Products

Related:  VMware Patches Major Security Flaws in Network Monitoring Suite

Advertisement. Scroll to continue reading.

Related: VMware Confirms Exploits Hitting Just-Patched Security Bug

Related: Exploit Published for Major Flaw in VMware Logging Software

This post was originally published on this site

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.