CVE-2022-22956

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vmwareCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
vmwareidentity_manager
3.3.3
vmwareidentity_manager
3.3.4
vmwareidentity_manager
3.3.5
vmwareidentity_manager
3.3.6
vmwarevrealize_automation
8.0 ≤
𝑥
< 9.0
vmwarevrealize_automation
7.6
vmwareworkspace_one_access
20.10.0.0
vmwareworkspace_one_access
20.10.0.1
vmwareworkspace_one_access
21.08.0.0
vmwareworkspace_one_access
21.08.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html
http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html
http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html
https://www.vmware.com/security/advisories/VMSA-2022-0011.html