CVE-2023-20858: VMSA-2023-0004

Advisory ID: VMSA-2023-0004

CVSSv3 Range: 9.1

Issue Date: 2023-02-21

Updated On: 2023-02-21 (Initial Advisory)

CVE(s): CVE-2023-20858

Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858)

****1. Impacted Products****

• VMware Carbon Black App Control (App Control)

****2. Introduction****

An injection vulnerability affecting VMware Carbon Black App Control was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

****3. Injection Vulnerability (CVE-2023-20858)****

VMware Carbon Black App Control contains an injection vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.

A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system.

To remediate CVE-2023-20858 update to the versions listed in the ‘Fixed Version’ column of the ‘Response Matrix’ found below.

VMware would like to thank Jari Jääskelä (@JJaaskela) for reporting this vulnerability to us.

Product

Version

Running On

CVE Identifier

CVSSv3

Severity

Fixed Version

Workarounds

Additional Documentation

App Control

8.9.x

Windows

CVE-2023-20858

9.1

critical

8.9.4

None

None

App Control

8.8.x

Windows

CVE-2023-20858

9.1

critical

8.8.6

None

None

App Control

8.7.x

Windows

CVE-2023-20858

9.1

critical

8.7.8

None

None

****4. References****

****5. Change Log****

**2023-02-21 VMSA-2023-0004
**Initial security advisory.

****6. Contact****