Headline
CVE-2023-20855: VMSA-2023-0005
VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.
Advisory ID: VMSA-2023-0005
CVSSv3 Range: 8.8
Issue Date: 2023-02-21
Updated On: 2023-02-21 (Initial Advisory)
CVE(s): CVE-2023-20855
Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855)
****1. Impacted Products****
VMware vRealize Orchestrator
VMware vRealize Automation
VMware Cloud Foundation (Cloud Foundation)
****2. Introduction****
An XML External Entity (XXE) vulnerability affecting VMware vRealize Orchestrator was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
****3. XML External Entity (XXE) Vulnerability (CVE-2023-20855)****
VMware vRealize Orchestrator contains an XML External Entity (XXE) vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
A malicious actor, with non-administrative access to vRealize Orchestrator, may be able to use specially crafted input to bypass XML parsing restrictions leading to access to sensitive information or possible escalation of privileges.
To remediate CVE-2023-20855 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
VMware vRealize Automation 8.x is affected since it uses embedded vRealize Orchestrator.
VMware would like to thank IT.NRW for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware vRealize Orchestrator
8.x
Virtual Appliance
CVE-2023-20855
8.8
important
8.11.1
None
None
VMware vRealize Automation
8.x
Any
CVE-2023-20855
8.8
important
8.11.1
None
None
Impacted Product Suites that Deploy Response Matrix Components:
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware Cloud Foundation (vRealize Automation)
4.x
Any
CVE-2023-20855
8.8
important
KB90926
None
None
****4. References****
****5. Change Log****
2023-02-21 VMSA-2023-0005
Initial security advisory.
****6. Contact****
Related news
VMware on Tuesday released patches to address a critical security vulnerability affecting its Carbon Black App Control product. Tracked as CVE-2023-20858, the shortcoming carries a CVSS score of 9.1 out of a maximum of 10 and impacts App Control versions 8.7.x, 8.8.x, and 8.9.x. The virtualization services provider describes the issue as an injection vulnerability. Security researcher Jari