CVE-2021-22056

CWE-918 — Server-Side Request Forgery (SSRF)4 documents4 sources

Severity

7.5HIGH

EPSS

0.7%

top 26.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vrealize Automation Vmware Identity Manager Vmware Workspace ONE Access

Timeline

PublishedDec 20

Latest updateDec 21

Description

VMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3 contain an SSRF vulnerability. A malicious actor with network access may be able to make HTTP requests to arbitrary origins and read the full response.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5vmware_workspace_one_access_and_identity_managerVMware Workspace ONE Access 21.08, 20.10.0.1, and 20.10 and Identity Manager 3.3.5, 3.3.4, and 3.3.3

▶NVDvmware/workspace_one_access4 versions+3

▶NVDvmware/identity_manager3.3.3, 3.3.4, 3.3.5+2

▶NVDvmware/vrealize_automation8.0 — 8.6+1

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-vr56-q77c-x8pg: VMware Workspace ONE Access 21↗2021-12-21

▶

CVEList

CVE-2021-22056: VMware Workspace ONE Access 21↗2021-12-20

▶

📋Vendor Advisories

VMware

VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities (CVE-2021-22056, CVE-2021-22057)↗2021-12-17

▶