CVE-2023-20900

Name: CVE-2023-20900
Creator: NVD / NIST
Published: 2023-08-31T10:15:08.247+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 1.19%

Last modified Jun 17, 2026

CVE-2023-20900 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .. EPSS estimates a 1.19% chance of exploitation in the next 30 days.

Description

A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html .

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.19%

64.1th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-294

Affected Software

Vendor	Product	Versions
Vmware	Tools	>= 10.3.0, < 12.3.0
Vmware	Tools	>= 10.3.0, < 10.3.26
Vmware	Open Vm Tools	>= 10.3.0, < 12.3.0
Fedoraproject	Fedora	37
Fedoraproject	Fedora	38
Fedoraproject	Fedora	39
Debian	Debian Linux	10.0
Debian	Debian Linux	11.0
Debian	Debian Linux	12.0
Netapp	Ontap Select Deploy Administration Utility	All versions

References

http://www.openwall.com/lists/oss-security/2023/08/31/1Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/27/1Mailing List, Patch
https://lists.debian.org/debian-lts-announce/2023/10/msg00000.htmlMailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVKQ6Y2JFJRWPFOZUOTFO3H27BK5GGOG/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJNJMD67QIT6LXLKWSHFM47DCLRSMT6W/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZJM6HDRQYS74JA7YNKQBFH2XSZ52HEWH/Mailing List
https://security.netapp.com/advisory/ntap-20231013-0002/Third Party Advisory
https://www.debian.org/security/2023/dsa-5493Third Party Advisory
https://www.vmware.com/security/advisories/VMSA-2023-0019.htmlPatch, Vendor Advisory
http://www.openwall.com/lists/oss-security/2023/08/31/1Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/10/27/1Mailing List, Patch
https://lists.debian.org/debian-lts-announce/2023/10/msg00000.htmlMailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NVKQ6Y2JFJRWPFOZUOTFO3H27BK5GGOG/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TJNJMD67QIT6LXLKWSHFM47DCLRSMT6W/Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZJM6HDRQYS74JA7YNKQBFH2XSZ52HEWH/Mailing List
https://security.netapp.com/advisory/ntap-20231013-0002/Third Party Advisory
https://www.debian.org/security/2023/dsa-5493Third Party Advisory
https://www.vmware.com/security/advisories/VMSA-2023-0019.htmlPatch, Vendor Advisory

Timeline

Published: Aug 31, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-20900?

How severe is CVE-2023-20900?

CVE-2023-20900 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.19% probability of exploitation in the next 30 days.

How do I fix CVE-2023-20900?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-20900?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST