VMware has patched 5 safety flaws affecting its Workspace ONE Help resolution, a few of which might be exploited to bypass authentication and procure elevated permissions.
Topping the checklist, are three vital vulnerabilities tracked as CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687. All of the shortcomings are rated 9.8 on the CVSS vulnerability scoring system.
CVE-2022-31685 is an authentication bypass flaw that might be abused by an attacker with community entry to VMware Workspace ONE Help to acquire administrative entry with out the necessity to authenticate to the appliance.
CVE-2022-31686 has been described by the virtualization companies supplier as a “damaged authentication methodology” vulnerability, and CVE-2022-31687 as a “Damaged Entry Management” flaw.
“A malicious actor with community entry could possibly get hold of administrative entry with out the necessity to authenticate to the appliance,” VMware mentioned in an advisory for CVE-2022-31686 and CVE-2022-31687.
One other vulnerability is a case of a mirrored cross-site scripting (XSS) vulnerability (CVE-2022-31688, CVSS rating: 6.4) stemming from improper person enter sanitization, one thing that might be exploited to inject arbitrary JavaScript code within the goal person’s window.
Rounding off the patch is a session fixation vulnerability (CVE-2022-31689, CVSS rating: 4.2) that VMware mentioned is the results of improper dealing with of session tokens, including “a malicious actor who obtains a sound session token could possibly authenticate to the appliance utilizing that token.”
Safety researchers Jasper Westerman, Jan van der Put, Yanick de Pater, and Hurt Blankers of Netherlands-based Reqon have been credited with discovering and reporting the failings.
All the problems affect variations 21.x and 22.x of VMware Workspace ONE Help and have been mounted in model 22.10. The corporate additionally mentioned there are not any workarounds that tackle the weaknesses.
