Medium
A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on the server leading to information disclosure.
A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.
An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure.
An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to the existing vROps cluster.
An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.
VMware
Refer to VMware Security Advisory for the patch, upgrade, or suggested workaround information.