CVE-2023-20889
Published: 07 June 2023
Summary
CVE-2023-20889 is a high-severity Command Injection (CWE-77) vulnerability in Vmware Vrealize Network Insight. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
VMware Aria Operations for Networks contains an information disclosure vulnerability arising from a command injection flaw, identified as CVE-2023-20889. The issue affects the network management product and carries a CVSS 3.1 base score of 7.5 along with CWE-77 classification for improper neutralization of special elements used in a command.
An unauthenticated attacker with network access can exploit the flaw to execute injected commands and obtain sensitive information from the system, without needing user interaction or elevated privileges.
The issue is documented in VMware security advisory VMSA-2023-0012, which outlines remediation guidance and patch availability for affected installations. The associated EPSS score stands at 0.8963 with a recorded peak of 0.9023.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-25060
Vulnerability details
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.