CVE-2022-31708: 
VMware vRealize Operations Manager vulnerability analysis and mitigation

VMware vRealize Operations (vROps) contains a broken access control vulnerability identified as CVE-2022-31708, which was disclosed on December 15, 2022. The vulnerability affects VMware vRealize Operations (vROps) versions 8.10.x prior to 8.10.1 and versions 8.6.x without the KB90232 patch. VMware has evaluated this vulnerability to be in the Moderate severity range with a CVSS v3.1 base score of 4.9 (VMware Advisory, NVD).

The vulnerability stems from improper access control configuration within the CaSA component of vRealize Operations. The specific flaw results from the lack of proper access control mechanisms, which allows authenticated users with administrative privileges to access sensitive information they shouldn't normally have access to. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (ZDI Advisory, NVD).

The vulnerability allows a malicious actor with admin privileges in the vROps application to read sensitive information from the underlying operating system. This information disclosure could potentially expose critical system data to unauthorized access (VMware Advisory).

VMware has released patches to address this vulnerability. Users of affected versions should upgrade to VMware vRealize Operations (vROps) version 8.10.1 or apply the KB90232 patch for version 8.6.x. No workarounds are available for this vulnerability, making it critical to apply the provided updates (VMware Advisory).