Lucene search

[email protected]NVD:CVE-2022-22955

HistoryApr 13, 2022 - 6:15 p.m.

CVE-2022-22955

2022-04-1318:15:12

[email protected]

web.nvd.nist.gov

vmware workspace one access

authentication bypass

vulnerabilities

oauth2 acs framework

exposed endpoints

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.002

Percentile

58.7%

JSON

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

Affected configurations

Nvd

Node

vmwareidentity_managerMatch3.3.3

vmwareidentity_managerMatch3.3.4

vmwareidentity_managerMatch3.3.5

vmwareidentity_managerMatch3.3.6

vmwarevrealize_automationRange8.0–9.0

vmwarevrealize_automationMatch7.6

vmwareworkspace_one_accessMatch20.10.0.0

vmwareworkspace_one_accessMatch20.10.0.1

vmwareworkspace_one_accessMatch21.08.0.0

vmwareworkspace_one_accessMatch21.08.0.1

AND

linuxlinux_kernelMatch-

VendorProductVersionCPE
vmwareidentity_manager3.3.3cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*
vmwareidentity_manager3.3.4cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*
vmwareidentity_manager3.3.5cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*
vmwareidentity_manager3.3.6cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*
vmwarevrealize_automation*cpe:2.3:a:vmware:vrealize_automation:*:*:*:*:*:*:*:*
vmwarevrealize_automation7.6cpe:2.3:a:vmware:vrealize_automation:7.6:*:*:*:*:*:*:*
vmwareworkspace_one_access20.10.0.0cpe:2.3:a:vmware:workspace_one_access:20.10.0.0:*:*:*:*:*:*:*
vmwareworkspace_one_access20.10.0.1cpe:2.3:a:vmware:workspace_one_access:20.10.0.1:*:*:*:*:*:*:*
vmwareworkspace_one_access21.08.0.0cpe:2.3:a:vmware:workspace_one_access:21.08.0.0:*:*:*:*:*:*:*
vmwareworkspace_one_access21.08.0.1cpe:2.3:a:vmware:workspace_one_access:21.08.0.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vmware	identity_manager	3.3.3	cpe:2.3:a:vmware:identity_manager:3.3.3:::::::*
vmware	identity_manager	3.3.4	cpe:2.3:a:vmware:identity_manager:3.3.4:::::::*
vmware	identity_manager	3.3.5	cpe:2.3:a:vmware:identity_manager:3.3.5:::::::*
vmware	identity_manager	3.3.6	cpe:2.3:a:vmware:identity_manager:3.3.6:::::::*
vmware	vrealize_automation	*	cpe:2.3:a:vmware:vrealize_automation::::::::
vmware	vrealize_automation	7.6	cpe:2.3:a:vmware:vrealize_automation:7.6:::::::*
vmware	workspace_one_access	20.10.0.0	cpe:2.3:a:vmware:workspace_one_access:20.10.0.0:::::::*
vmware	workspace_one_access	20.10.0.1	cpe:2.3:a:vmware:workspace_one_access:20.10.0.1:::::::*
vmware	workspace_one_access	21.08.0.0	cpe:2.3:a:vmware:workspace_one_access:21.08.0.0:::::::*
vmware	workspace_one_access	21.08.0.1	cpe:2.3:a:vmware:workspace_one_access:21.08.0.1:::::::*