CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-20871
https://notcve.org/view.php?id=CVE-2023-20871
VMware Fusion contains a local privilege escalation vulnerability. A malicious actor with read/write access to the host operating system can elevate privileges to gain root access to the host operating system. • https://www.vmware.com/security/advisories/VMSA-2023-0008.html •
CVSS: 7.5EPSS: 2%CPEs: 9EXPL: 2CVE-2023-29552 – Service Location Protocol (SLP) Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2023-29552
The Service Location Protocol (SLP, RFC 2608) allows an unauthenticated, remote attacker to register arbitrary services. This could allow the attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor. The Service Location Protocol (SLP) contains a denial-of-service (DoS) vulnerability that could allow an unauthenticated, remote attacker to register services and use spoofed UDP traffic to conduct a denial-of-service (DoS) attack with a significant amplification factor. • https://blogs.vmware.com/security/2023/04/vmware-response-to-cve-2023-29552-reflective-denial-of-service-dos-amplification-vulnerability-in-slp.html https://curesec.com/blog/article/CVE-2023-29552-Service-Location-Protocol-Denial-of-Service-Amplification-Attack-212.html https://datatracker.ietf.org/doc/html/rfc2608 https://github.com/curesec/slpload https://security.netapp.com/advisory/ntap-20230426-0001 https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-29552-discovered-service-location-protoco •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2023-20865
https://notcve.org/view.php?id=CVE-2023-20865
VMware Aria Operations for Logs contains a command injection vulnerability. A malicious actor with administrative privileges in VMware Aria Operations for Logs can execute arbitrary commands as root. • https://www.vmware.com/security/advisories/VMSA-2023-0007.html • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 14%CPEs: 2EXPL: 0CVE-2023-20864 – VMware Aria Operations for Logs Cluster Controller Deserialization of Untrusted Data Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-20864
VMware Aria Operations for Logs contains a deserialization vulnerability. An unauthenticated, malicious actor with network access to VMware Aria Operations for Logs may be able to execute arbitrary code as root. This vulnerability allows remote attackers to execute arbitrary code on affected installations of VMware Aria Operations for Logs. Authentication is not required to exploit this vulnerability. The specific flaw exists within the InternalClusterController class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. • https://www.vmware.com/security/advisories/VMSA-2023-0007.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-20873 – spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry
https://notcve.org/view.php?id=CVE-2023-20873
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+. A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. • https://security.netapp.com/advisory/ntap-20230601-0009 https://spring.io/blog/2023/05/18/spring-boot-2-5-15-and-2-6-15-available-now https://spring.io/security/cve-2023-20873 https://access.redhat.com/security/cve/CVE-2023-20873 https://bugzilla.redhat.com/show_bug.cgi?id=2231491 • CWE-284: Improper Access Control •