Headline
CVE-2023-20899: VMSA-2023-0015
VMware SD-WAN (Edge) contains a bypass authentication vulnerability. An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management.
Advisory ID: VMSA-2023-0015
CVSSv3 Range: 5.3
Issue Date: 2023-07-06
Updated On: 2023-07-06 (Initial Advisory)
CVE(s): CVE-2023-20899
Synopsis: VMware SD-WAN update addresses a bypass authentication vulnerability (CVE-2023-20899)
****1. Impacted Products****
****2. Introduction****
An Authentication Bypass Vulnerability affecting VMware SD-WAN was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
****3. VMware SD-WAN Bypass Authentication Vulnerability (CVE-2023-20899)****
VMware SD-WAN contains a bypass authentication vulnerability. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3.
An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management.
To remediate CVE-2023-20899 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
This vulnerability affects Edge devices only and not the SD-WAN management console (VCO)
VMware would like to thank Marco Bruinenberg of Accenture for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware SD-WAN (Edge)
5.2
Any
CVE-2023-20899
N/A
N/A
Unaffected
None
None
VMware SD-WAN (Edge)
5.1.x
Any
CVE-2023-20899
N/A
N/A
Unaffected
None
None
VMware SD-WAN (Edge)
5.0.x
Any
CVE-2023-20899
5.3
moderate
5.1
None
None
VMware SD-WAN (Edge)
4.5.x
Any
CVE-2023-20899
5.3
moderate
4.5.2
None
None
****4. References****
****5. Change Log****
2023-07-06 VMSA-2023-0015
Initial security advisory.
****6. Contact****