CVE-2023-0015: 
SAP BusinessObjects Business Intelligence Platform vulnerability analysis and mitigation

VMware SD-WAN contains a bypass authentication vulnerability identified as CVE-2023-20899, which was privately reported to VMware. The vulnerability affects VMware SD-WAN Edge devices and was disclosed on July 6, 2023. The vulnerability has been evaluated to be in the moderate severity range with a CVSSv3 base score of 5.3 (VMware Advisory).

The vulnerability allows a malicious actor with network access to the Edge Local Web UI to download an Edge Diagnostic bundle of the application without authentication. It's important to note that Local Web UI Access is disabled by default. The vulnerability has been assigned a moderate severity rating with a CVSSv3 base score of 5.3 (VMware Advisory).

If exploited, this vulnerability allows unauthorized access to Edge Diagnostic bundles through the Edge Local Web UI. The impact is limited as the Local Web UI is disabled by default, which serves as a natural mitigation factor (VMware Advisory).

VMware has released version 4.5.2 to address this vulnerability. Additionally, VMware recommends leaving the Local Web UI disabled, which is the default configuration. For cases where Local Web UI has been manually enabled, instructions for disabling it can be found in the VMware SD-WAN Product Documentation. Following the Hardening Guidelines will prevent this vulnerability from being exploited (VMware Advisory).

VMware acknowledged Marco Bruinenberg of Accenture for reporting this security issue (VMware Advisory).