VMware Aria Automation Updates Address SQL-Injection Vulnerability (CVE-2024-22280)

Broadcom, the parent company of VMware, has issued a security advisory warning users of VMware Aria Automation about a SQL injection vulnerability (CVE-2024-22280) that could allow authenticated attackers to manipulate databases and potentially gain unauthorized access to sensitive data.

The vulnerability, rated with a CVSS score of 8.5, stems from inadequate input validation within the VMware Aria Automation software. Attackers could exploit this flaw by injecting malicious SQL queries, enabling them to read, modify, or delete data stored in the application’s database.

Impact and Concerns:

The potential impact of this vulnerability is significant. Attackers could leverage it to steal confidential information, disrupt operations, or even gain control of affected systems. Given the widespread use of VMware Aria Automation in enterprise environments, this flaw poses a serious risk to organizations worldwide.

Affected Products and Versions:

• VMware Aria Automation 8.x
• VMware Cloud Foundation 5.x and 4.x

Urgent Patching Recommended:

Broadcom has released patches to address the vulnerability and strongly urges all users to apply them immediately. The patches are available in the VMware Aria Automation KB325790 and VMware Cloud Foundation KB325790 updates.