CVE-2022-22958

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vmwareCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
VendorProductVersion
vmwarecloud_foundation
3.0 ≤
𝑥
< 5.0
vmwareidentity_manager
3.3.3
vmwareidentity_manager
3.3.4
vmwareidentity_manager
3.3.5
vmwareidentity_manager
3.3.6
vmwarevrealize_automation
8.0 ≤
𝑥
< 9.0
vmwarevrealize_automation
7.6
vmwarevrealize_suite_lifecycle_manager
8.0 ≤
𝑥
< 9.0
vmwareworkspace_one_access
20.10.0.0
vmwareworkspace_one_access
20.10.0.1
vmwareworkspace_one_access
21.08.0.0
vmwareworkspace_one_access
21.08.0.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.vmware.com/security/advisories/VMSA-2022-0011.html
https://www.vmware.com/security/advisories/VMSA-2022-0011.html