CVE-2023-20877 : VMware Aria Operations contains a privilege escalation vulnerability. An authent

VMware Aria Operations contains a privilege escalation vulnerability. An authenticated malicious user with ReadOnly privileges can perform code execution leading to privilege escalation.

Published 2023-05-12 21:15:09

Updated 2025-01-27 18:15:32

Source VMware

View at NVD, CVE.org

Vulnerability category: Gain privilege

Products affected by CVE-2023-20877

Vmware » Vrealize Operations » Version: 8.10.0 Update Hotfix1
cpe:2.3:a:vmware:vrealize_operations:8.10.0:hotfix1:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.10.0 Update Hotfix2
cpe:2.3:a:vmware:vrealize_operations:8.10.0:hotfix2:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.6.0 Update Hotfix1
cpe:2.3:a:vmware:vrealize_operations:8.6.0:hotfix1:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.6.0 Update Hotfix2
cpe:2.3:a:vmware:vrealize_operations:8.6.0:hotfix2:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.6.0 Update Hotfix8
cpe:2.3:a:vmware:vrealize_operations:8.6.0:hotfix8:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.6.0 Update Hotfix6
cpe:2.3:a:vmware:vrealize_operations:8.6.0:hotfix6:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.6.0 Update Hotfix5
cpe:2.3:a:vmware:vrealize_operations:8.6.0:hotfix5:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.6.0 Update Hotfix4
cpe:2.3:a:vmware:vrealize_operations:8.6.0:hotfix4:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.6.0 Update Hotfix9
cpe:2.3:a:vmware:vrealize_operations:8.6.0:hotfix9:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.6.0
cpe:2.3:a:vmware:vrealize_operations:8.6.0:-:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Operations » Version: 8.10.0
cpe:2.3:a:vmware:vrealize_operations:8.10.0:-:*:*:*:*:*:*
Matching versions
Vmware » Cloud Foundation
Versions from including (>=) 4.0 and up to, including, (<=) 4.5
cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-20877

EPSS FAQ

0.39%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 57 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-20877

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-27
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-20877

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2023-20877

https://www.vmware.com/security/advisories/VMSA-2023-0009.html

VMSA-2023-0009
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-20877

Products affected by CVE-2023-20877

Exploit prediction scoring system (EPSS) score for CVE-2023-20877

CVSS scores for CVE-2023-20877

CWE ids for CVE-2023-20877

References for CVE-2023-20877