Headline
CVE-2023-20856: VMSA-2023-0002
VMware vRealize Operations (vROps) contains a CSRF bypass vulnerability. A malicious user could execute actions on the vROps platform on behalf of the authenticated victim user.
Advisory ID: VMSA-2023-0002
CVSSv3 Range: 6.5
Issue Date: 2023-01-31
Updated On: 2023-01-31 (Initial Advisory)
CVE(s): CVE-2023-20856
Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability (CVE-2023-20856)
****1. Impacted Products****
- VMware vRealize Operations (vROps)
****2. Introduction****
A vulnerability in VMware vRealize Operations (vROps) was privately reported to VMware. A patch is available to address this vulnerability in the affected VMware product.
****3. VMware vRealize Operations (vROps) CSRF bypass vulnerability (CVE-2023-20856)****
vRealize Operations (vROps) contains a CSRF bypass vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.
A malicious user could execute actions on the platform on behalf of the authenticated victim user.
To remediate CVE-2023-20856 apply the updates listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
VMware would like to thank thiscodecc of MoyunSec TopBreaker Labs and Bing Liu of MoyunSec for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
VMware vRealize Operations (vROps)
8.10
Any
CVE-2023-20856
N/A
N/A
Unaffected
N/A
N/A
VMware vRealize Operations (vROps)
8.6.x
Any
CVE-2023-20856
6.5
moderate
KB90672
None
NA
****4. References****
****5. Change Log****
**2023-01-31 VMSA-2023-0002
**Initial security advisory.
****6. Contact****