CVE-2022-22955 — Improper Authentication in Vmware Vrealize Automation

CWE-287 — Improper Authentication5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

70.1%

top 1.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vrealize Automation Vmware Identity Manager Vmware Workspace ONE Access

Timeline

PublishedApr 13

Latest updateApr 14

Description

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

▶NVDvmware/workspace_one_access4 versions+3

▶NVDvmware/vrealize_automation8.0 — 9.0+1

▶NVDvmware/identity_manager4 versions+3

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-vv47-c6mc-7w69: VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework↗2022-04-14

▶

CVEList

CVE-2022-22955: VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework↗2022-04-13

▶

💥Exploits & PoCs

Nuclei

VMware Workspace ONE Access - Authentication Bypass

▶

📋Vendor Advisories

VMware

VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities.↗2022-04-06

▶