certfr_avis - CERTFR-2024-AVI-0037

CERTFR-2024-AVI-0037

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans VMware Aria Operations. Elle permet à un attaquant de provoquer un contournement de la politique de sécurité.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
VMware	Aria Automation	VMware Aria Automation versions 8.12.x versions antérieures à 8.12.2 avec le correctif de sécurité vrlcm-vra-8.12.2-8.12.2.31368
VMware	N/A	VMware Cloud Foundation (Aria Automation) versions 4.x et 5.x sans le dernier correctif de sécurité
VMware	Aria Automation	VMware Aria Automation versions 8.13.x versions antérieures à 8.13.1 avec le correctif de sécurité vrlcm-vra-8.13.1-8.13.1.32385
VMware	Aria Automation	VMware Aria Automation versions 8.11.x versions antérieures à 8.11.2 avec le correctif de sécurité vrlcm-vra-8.11.2-8.11.2.30127
VMware	Aria Automation	VMware Aria Automation versions 8.14.x antérieures à 8.14.1 avec le correctif de sécurité vrlcm-vra-8.14.1-8.14.1.33501

References

Title

Publication Time

Tags

Bulletin de sécurité VMware VMSA-2024-0001 du 16 janvier 2024

None

vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "VMware Aria Automation versions 8.12.x versions ant\u00e9rieures \u00e0 8.12.2 avec le correctif de s\u00e9curit\u00e9 vrlcm-vra-8.12.2-8.12.2.31368",
      "product": {
        "name": "Aria Automation",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "VMware Cloud Foundation (Aria Automation) versions 4.x et 5.x sans le dernier correctif de s\u00e9curit\u00e9",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "VMware Aria Automation versions 8.13.x versions ant\u00e9rieures \u00e0 8.13.1 avec le correctif de s\u00e9curit\u00e9 vrlcm-vra-8.13.1-8.13.1.32385",
      "product": {
        "name": "Aria Automation",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "VMware Aria Automation versions 8.11.x versions ant\u00e9rieures \u00e0 8.11.2 avec le correctif de s\u00e9curit\u00e9 vrlcm-vra-8.11.2-8.11.2.30127",
      "product": {
        "name": "Aria Automation",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    },
    {
      "description": "VMware Aria Automation versions 8.14.x ant\u00e9rieures \u00e0 8.14.1 avec le correctif de s\u00e9curit\u00e9 vrlcm-vra-8.14.1-8.14.1.33501",
      "product": {
        "name": "Aria Automation",
        "vendor": {
          "name": "VMware",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-34063",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34063"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0037",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-01-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans VMware Aria Operations. Elle\npermet \u00e0 un attaquant de provoquer un contournement de la politique de\ns\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans VMware Aria Operations",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 VMware VMSA-2024-0001 du 16 janvier 2024",
      "url": "https://www.vmware.com/security/advisories/VMSA-2024-0001.html"
    }
  ]
}

CVE-2023-34063 (GCVE-0-2023-34063)

Vulnerability from cvelistv5 – Published: 2024-01-16 09:10 – Updated: 2025-06-20 17:02

Summary

Aria Automation contains a Missing Access Control vulnerability. An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

Severity ?

9.9 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

CWE

VMware Aria Automation Missing Access Control Vulnerability

Assigner

vmware

References

URL

Tags

https://www.vmware.com/security/advisories/VMSA-2…

Impacted products

	Vendor	Product	Version
	N/A	VMware Aria Automation, VMware Cloud Foundation	Affected: Aria Automation 8.14.1, Aria Automation 8.14.0, Aria Automation 8.13.1, Aria Automation 8.13.0, Aria Automation 8.12.2, Aria Automation 8.12.1, Aria Automation 8.12.0, Aria Automation 8.11.2, Aria Automation 8.11.1, Aria Automation 8.11.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T16:01:53.537Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.vmware.com/security/advisories/VMSA-2024-0001.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-34063",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-01-16T20:17:51.196207Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-862",
                "description": "CWE-862 Missing Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-20T17:02:26.911Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "VMware Aria Automation, VMware Cloud Foundation",
          "vendor": "N/A",
          "versions": [
            {
              "status": "affected",
              "version": "Aria Automation 8.14.1, Aria Automation 8.14.0, Aria Automation 8.13.1, Aria Automation 8.13.0, Aria Automation 8.12.2, Aria Automation 8.12.1, Aria Automation 8.12.0, Aria Automation 8.11.2, Aria Automation 8.11.1, Aria Automation 8.11.0      "
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\nAria Automation contains a Missing Access Control vulnerability.\n\n\nAn authenticated malicious actor may \nexploit this vulnerability leading to unauthorized access to remote \norganizations and workflows.\n\n"
            }
          ],
          "value": "Aria Automation contains a Missing Access Control vulnerability.\n\n\nAn authenticated malicious actor may \nexploit this vulnerability leading to unauthorized access to remote \norganizations and workflows.\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "LOW",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "VMware Aria Automation Missing Access Control Vulnerability",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-16T09:10:09.738Z",
        "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
        "shortName": "vmware"
      },
      "references": [
        {
          "url": "https://www.vmware.com/security/advisories/VMSA-2024-0001.html"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
    "assignerShortName": "vmware",
    "cveId": "CVE-2023-34063",
    "datePublished": "2024-01-16T09:10:09.738Z",
    "dateReserved": "2023-05-25T17:21:56.204Z",
    "dateUpdated": "2025-06-20T17:02:26.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2024-AVI-0037

Solution

CVE-2023-34063 (GCVE-0-2023-34063)

Tags

Sightings

Nomenclature