Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

VMware Patches Critical SQL-Injection Flaw in Aria Automation

VMware warns that authenticated malicious users could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.

Broadcom-owned VMWare on Wednesday pushed out patches for a high-risk SQL-injection vulnerability in its Aria Automation product and warned that an authenticated malicious user could target the flaw to manipulate databases.

The vulnerability, tracked as CVE-2024-22280, allows for unauthorized read and write operations in the database through specially crafted SQL queries, VMWare said in an advisory with a “high-severity” rating

The bug carries a CVSS severity score of 8.5/10.

Affected products include VMware Aria Automation version 8.x, and VMware Cloud Foundation versions 5.x and 4.x. 

From the VMware advisory:

“VMware Aria Automation does not apply correct input validation which allows for SQL-injection in the product.  An authenticated malicious user could enter specially crafted SQL queries and perform unauthorized read/write operations in the database.”

VMware said the bug was privately reported by researchers at Quebec’s Centre Gouvernemental de Cyberdéfense (CGCD).

Related: VMware vCenter Flaw So Critical, Patches Released for EOL Products

Related:  VMware Patches Major Security Flaws in Network Monitoring Suite

Advertisement. Scroll to continue reading.

Related: VMware Confirms Exploits Hitting Just-Patched Security Bug

Related: Exploit Published for Major Flaw in VMware Logging Software

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

SaaS security company AppOmni has hired Joel Wallenstrom as its General Manager.

FTI Consulting has appointed Brett Callow as Managing Director in its Cybersecurity & Data Privacy Communications practice.

Mobile security firm Zimperium has welcomed David Natker as its VP of Global Partners and Alliances.

More People On The Move

Expert Insights