Support Content Notification - Support Portal

VMSA-2023-0002:VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability

Product/Component

VMware Aria Suite

0 more products

Notification Id

23658

Last Updated

29 January 2023

Initial Publication Date

29 January 2023

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

6.5

WorkAround

Affected CVE

CVE-2023-20856

Advisory ID: VMSA-2023-0002

CVSSv3 Range: 6.5

Issue Date:2023-01-31

Updated On: 2023-01-31 (Initial Advisory)

CVE(s): CVE-2023-20856

Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability (CVE-2023-20856)

1. Impacted Products

VMware vRealize Operations (vROps)

2. Introduction

A vulnerability in VMware vRealize Operations (vROps) was privately reported to VMware. A patch is available to address this vulnerability in the affected VMware product.

3. VMware vRealize Operations (vROps) CSRF bypass vulnerability (CVE-2023-20856)

Description

vRealize Operations (vROps) contains a CSRF bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5 .

Known Attack Vectors

A malicious user could execute actions on the platform on behalf of the authenticated victim user.

Resolution

To remediate CVE-2023-20856 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank thiscodecc of MoyunSec TopBreaker Labs and Bing for reporting this issue to us.

Response Matrix

Product	Version	Running On	CVE Identifier	CVSSv3	Severity	Fixed Version	Workarounds	Additional Documentation
VMware vRealize Operations (vROps)	8.10	Any	CVE-2023-20856	N/A	N/A	Unaffected	N/A	N/A
VMware vRealize Operations (vROps)	8.6.x	Any	CVE-2023-20856	6.5	moderate	KB90672	None	NA