CVE-2022-22955

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vmwareCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
vmwareidentity_manager
3.3.3
vmwareidentity_manager
3.3.4
vmwareidentity_manager
3.3.5
vmwareidentity_manager
3.3.6
vmwarevrealize_automation
8.0 ≤
𝑥
< 9.0
vmwarevrealize_automation
7.6
vmwareworkspace_one_access
20.10.0.0
vmwareworkspace_one_access
20.10.0.1
vmwareworkspace_one_access
21.08.0.0
vmwareworkspace_one_access
21.08.0.1
𝑥
= Vulnerable software versions
References
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
https://www.vmware.com/security/advisories/VMSA-2022-0011.html