VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Identity_manager | Vmware | 3.3.3 | 3.3.3 |
Identity_manager | Vmware | 3.3.4 | 3.3.4 |
Identity_manager | Vmware | 3.3.5 | 3.3.5 |
Identity_manager | Vmware | 3.3.6 | 3.3.6 |
Vrealize_automation | Vmware | 8.0 | * |
Vrealize_automation | Vmware | 7.6 | 7.6 |
Workspace_one_access | Vmware | 20.10.0.0 | 20.10.0.0 |
Workspace_one_access | Vmware | 20.10.0.1 | 20.10.0.1 |
Workspace_one_access | Vmware | 21.08.0.0 | 21.08.0.0 |
Workspace_one_access | Vmware | 21.08.0.1 | 21.08.0.1 |