CVSS: 8.3EPSS: 4%CPEs: 4EXPL: 0CVE-2023-20858
https://notcve.org/view.php?id=CVE-2023-20858
21 Feb 2023 — VMware Carbon Black App Control 8.7.x prior to 8.7.8, 8.8.x prior to 8.8.6, and 8.9.x.prior to 8.9.4 contain an injection vulnerability. A malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system. • https://www.vmware.com/security/advisories/VMSA-2023-0004.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36797
https://notcve.org/view.php?id=CVE-2022-36797
16 Feb 2023 — Protection mechanism failure in the Intel(R) Ethernet 500 Series Controller drivers for VMware before version 1.10.0.1 may allow an authenticated user to potentially enable denial of service via local access. • http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00750.html •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-36416
https://notcve.org/view.php?id=CVE-2022-36416
16 Feb 2023 — Protection mechanism failure in the Intel(R) Ethernet 500 Series Controller drivers for VMware before version 1.10.0.13 may allow an authenticated user to potentially enable escalation of privilege via local access. • http://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00750.html •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-20854
https://notcve.org/view.php?id=CVE-2023-20854
03 Feb 2023 — VMware Workstation contains an arbitrary file deletion vulnerability. A malicious actor with local user privileges on the victim's machine may exploit this vulnerability to delete arbitrary files from the file system of the machine on which Workstation is installed. • https://www.vmware.com/security/advisories/VMSA-2023-0003.html • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-20856
https://notcve.org/view.php?id=CVE-2023-20856
01 Feb 2023 — VMware vRealize Operations (vROps) contains a CSRF bypass vulnerability. A malicious user could execute actions on the vROps platform on behalf of the authenticated victim user. • https://www.vmware.com/security/advisories/VMSA-2023-0002.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 80%CPEs: 2EXPL: 1CVE-2022-31704 – VMware vRealize Log Insight setConfig Missing Authentication for Critical Function Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-31704
25 Jan 2023 — The vRealize Log Insight contains a broken access control vulnerability. An unauthenticated malicious actor can remotely inject code into sensitive files of an impacted appliance which can result in remote code execution. vRealize Log Insight contiene una vulnerabilidad de control de acceso roto. Un actor malintencionado no autenticado puede inyectar código de forma remota en archivos confidenciales de un dispositivo afectado, lo que puede provocar la ejecución remota de código. This vulnerability allows re... • https://packetstorm.news/files/id/174606 • CWE-284: Improper Access Control •
CVSS: 10.0EPSS: 82%CPEs: 2EXPL: 1CVE-2022-31706 – VMware vRealize Log Insight RemotePakDownloadCommand Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-31706
25 Jan 2023 — The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution. vRealize Log Insight contiene una vulnerabilidad de Directory Traversal. Un actor malintencionado no autenticado puede inyectar archivos en el sistema operativo de un dispositivo afectado, lo que puede provocar la ejecución remota de código. This vulnerability allows remote attackers to execut... • https://packetstorm.news/files/id/174606 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-31710 – VMware vRealize Log Insight addClusterCACertificate Deserialization of Untrusted Data Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2022-31710
25 Jan 2023 — vRealize Log Insight contains a deserialization vulnerability. An unauthenticated malicious actor can remotely trigger the deserialization of untrusted data which could result in a denial of service. vRealize Log Insight contiene una vulnerabilidad de deserialización. Un actor malicioso no autenticado puede desencadenar de forma remota la deserialización de datos que no son de confianza, lo que podría provocar una denegación de servicio. This vulnerability allows remote attackers to create a denial-of-servi... • https://www.vmware.com/security/advisories/VMSA-2023-0001.html • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 74%CPEs: 2EXPL: 1CVE-2022-31711 – VMware vRealize Log Insight getConfig Missing Authentication for Critical Function Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2022-31711
25 Jan 2023 — VMware vRealize Log Insight contains an Information Disclosure Vulnerability. A malicious actor can remotely collect sensitive session and application information without authentication. VMware vRealize Log Insight contiene una vulnerabilidad de Divulgación de Información. Un actor malintencionado puede recopilar de forma remota información sensible de la sesión y la aplicación sin autenticación. This vulnerability allows remote attackers to disclose information on affected installations of VMware vRealize ... • https://packetstorm.news/files/id/174606 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-22602 – Apache Shiro before 1.11.0, when used with Spring Boot 2.6+, may allow authentication bypass through a specially crafted HTTP request
https://notcve.org/view.php?id=CVE-2023-22602
14 Jan 2023 — When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher` Cuando se utiliza Apache Shiro ante... • https://lists.apache.org/thread/dzj0k2smpzzgj6g666hrbrgsrlf9yhkl • CWE-436: Interpretation Conflict •