Server-Side Request Forgery in VMware Aria Automation
CVE-2025-22215

4.3MEDIUM

Key Information:

Vendor: Vmware
Status: Vmware Aria Automation; Vmware Cloud Foundation (vmware Aria Automation)
Vendor: CVE Published:; 8 January 2025

Summary

VMware Aria Automation exposes a server-side request forgery (SSRF) vulnerability that allows a malicious actor with 'Organization Member' access to exploit the system. By leveraging this vulnerability, the actor can enumerate and potentially access sensitive internal services running on the host or network, which could lead to unauthorized data exposure and compromise of the environment. It is crucial for organizations using this product to assess their risk and implement necessary security measures to protect against exploitation.

Affected Version(s)

VMware Aria Automation any 8.x < 8.18.1 patch 1

VMware Cloud Foundation (VMware Aria Automation) Any 5.x < 8.18.1 patch 1

VMware Cloud Foundation (VMware Aria Automation) Any 4.x < 8.18.1 patch 1

References

https://support.broadcom.com/web/ecx/support-content-noti...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 8, 2025
Vulnerability Reserved
Jan 2, 2025