Preface: The missing function-level access control vulnerability refers to the flaws in the authorization logic. By exploiting it, an attacker, who could be an existing user of the application, is able to escalate privileges and access restricted functionalities.

Background: VMware Aria Automation Orchestrator. (formerly vRealize Orchestrator). VMware Aria is an intelligent multi-cloud management solution that enables you to consistently deploy and operate your apps, infrastructure, and platform services across private, hybrid, and multiple clouds from a single platform with a common data model.

Ref: vRealize Automation includes a preconfigured embedded vRealize Orchestrator instance. You can access the client of the embedded vRealize Orchestrator from the vRealize Automation Cloud Services Console.

Vulnerability details: An authenticated malicious actor may exploit this vulnerability leading to unauthorized access to remote organizations and workflows.

Resolution: To remediate CVE-2023-34063 apply the patches

Official announcement: Please refer to the link for details – https://www.vmware.com/security/advisories/VMSA-2024-0001.html