Tech »  Topic »  VMware Patches Critical SQL-Injection Flaw in Aria Automation

VMware Patches Critical SQL-Injection Flaw in Aria Automation


VMware warns that authenticated malicious users could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.

Broadcom-owned VMWare on Wednesday pushed out patches for a high-risk SQL-injection vulnerability in its Aria Automation product and warned that an authenticated malicious user could target the flaw to manipulate databases.

The vulnerability, tracked as CVE-2024-22280, allows for unauthorized read and write operations in the database through specially crafted SQL queries, VMWare said in an advisory with a “high-severity” rating

The bug carries a CVSS severity score of 8.5/10.

Affected products include VMware Aria Automation version 8.x, and VMware Cloud Foundation versions 5.x and 4.x.

From the VMware advisory:

“VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product. An authenticated malicious user could enter specially crafted SQL queries and perform unauthorized read/write operations in the database ...


Copyright of this story solely belongs to securityweek . To see the full text click HERE