Overview

VMware Tanzu Greenplum is vulnerable to critical vulnerabilities. A remote attacker can exploit the vulnerabilities to execute arbitrary code.

Description

VMware Tanzu Greenplum Backup and Restore is affected by critical vulnerabilities tracked as CVE-2023-39320, CVE-2024-24790, and CVE-2024-45337, with CVSS scores of 9.8 and 9.1. The vulnerabilities result from a flaw in the go.mod toolchain directive, various methods returning false for addresses that would return true and misuse the ServerConfig.PublicKeyCallback callback by applications and libraries. The attacker can execute arbitrary scripts and binaries within the context of a Go module, leading to unauthorized code execution.

Impact

Successful exploitation of these vulnerabilities may allow the attacker to take control of the affected system.

Solution

Drupal has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25580
• 2. https://nvd.nist.gov/vuln/detail/CVE-2023-39320
• 3. https://nvd.nist.gov/vuln/detail/CVE-2024-24790
• 4. https://github.com/advisories/GHSA-v778-237x-gjrc