CVE-2022-31702: Unauthenticated command injection vulnerability in VMware vRNI
VMware on Tuesday announced patches for several critical and high-severity vulnerabilities affecting VMware vRealize Network Insight (vRNI).
The flaw is tracked as CVE-2022-31702 and it has a CVSS score of 9.8. VMware described it as a command injection vulnerability affecting the product’s vRNI REST API component. The flaw could allow an unauthenticated attacker to execute arbitrary operating system commands.
“vRealize Network Insight (vRNI) contains a command injection vulnerability present in the vRNI REST API. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8,” the company wrote in its advisory.
VMware also announced patches for a directory traversal vulnerability in the vRNI REST API of VMware vRealize Network Insight, which could allow a malicious actor to “read arbitrary files from the server.” An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system.
Two vulnerabilities addressed this week impact VMware vRNI versions 6.2, 6.3, 6.4, 6.5, 6.6, and 6.7. VMware patched the vulnerability in vRNI with the release of version 6.8. ZDI has been credited for finding CVE-2022-31702 and CVE-2022-31703.
VMware also notes that it currently has no evidence of in-the-wild exploitation for any of these vulnerabilities. The company recommends that all potentially impacted customers apply the available patches as soon as possible.
