Vulnerability Description
VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Identity Manager | 3.3.3 |
| Vmware | Vrealize Automation | >= 8.0, < 9.0 |
| Vmware | Workspace One Access | 20.10.0.0 |
| Linux | Linux Kernel | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Exec
- http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Exe
- https://www.vmware.com/security/advisories/VMSA-2022-0011.htmlPatchVendor Advisory
- http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Exec
- http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Exe
- https://www.vmware.com/security/advisories/VMSA-2022-0011.htmlPatchVendor Advisory
FAQ
What is CVE-2022-22956?
CVE-2022-22956 is a vulnerability with a CVSS score of 9.8 (CRITICAL). VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and e...
How severe is CVE-2022-22956?
CVE-2022-22956 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-22956?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Identity Manager, Vmware Vrealize Automation, Vmware Workspace One Access, Linux Linux Kernel.