Access Control Vulnerability in VMware Workspace ONE Access and Identity Manager
CVE-2021-22002

9.8CRITICAL

Key Information:

Vendor: Vmware
Status: Vmware Workspace One Access, Identity Manager And Vrealize Automation
Vendor: CVE Published:; 31 August 2021

Summary

A vulnerability in VMware Workspace ONE Access and Identity Manager permits unauthorized access to the /cfg web application and diagnostic endpoints through port 443. By manipulating host headers, an attacker with network access to port 443 can compromise potentially sensitive data and perform unauthorized actions on the /cfg application. Additionally, this vulnerability allows for unauthorized access to diagnostic endpoints without any form of authentication, posing significant security risks to affected systems.

Affected Version(s)

VMware Workspace ONE Access, Identity Manager and vRealize Automation Workspace ONE Access 20.10.01, 20.10 & 20.01. Identity Manager 3.3.5, 3.3.4, 3.3.3 & 3.3.2. vRealize Automation (vIDM) 7.6.

References

https://www.vmware.com/security/advisories/VMSA-2021-0016...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 31, 2021
Vulnerability Reserved
Jan 4, 2021