- 202/2024
- High
VMware has released security updates to address multiple vulnerabilities across several VMware products.
The addressed vulnerabilities could enable the attacker to perform cross-site scripting attacks, bypass security controls, conduct denial of service attacks, or gain unauthorized read/write operations in the database by sending specially crafted SQL statements.
Sample of the addressed vulnerabilities:
1. VMware Aria Automation SQL Injection Vulnerability (CVE-2024-22280):
- CVSS: 8.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Data Manipulation
2. VMware Cloud Director Availability Cross-Site Scripting Vulnerability (CVE-2024-22277):
- CVSS: 6.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Cross-Site Scripting
Affected Products:
- VMware ESXi.
- VMware vCenter Server.
- VMware Cloud Foundation.
- VMware Aria Automation.
Vulnerabilities
- CVE-2024-22280
- CVE-2024-22277
- CVE-2024-37086
- CVE-2024-37087
- CVE-2024-37085
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.