VMware has patched 5 safety flaws affecting its Workspace ONE Assist resolution, a few of which may very well be exploited to bypass authentication and procure elevated permissions.
Topping the checklist, are three important vulnerabilities tracked as CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687. All the shortcomings are rated 9.8 on the CVSS vulnerability scoring system.
CVE-2022-31685 is an authentication bypass flaw that may very well be abused by an attacker with community entry to VMware Workspace ONE Assist to acquire administrative entry with out the necessity to authenticate to the applying.
CVE-2022-31686 has been described by the virtualization companies supplier as a “damaged authentication technique” vulnerability, and CVE-2022-31687 as a “Broken Access Control” flaw.
“A malicious actor with community entry could possibly receive administrative entry with out the necessity to authenticate to the applying,” VMware stated in an advisory for CVE-2022-31686 and CVE-2022-31687.
Another vulnerability is a case of a mirrored cross-site scripting (XSS) vulnerability (CVE-2022-31688, CVSS rating: 6.4) stemming from improper consumer enter sanitization, one thing that may very well be exploited to inject arbitrary JavaScript code within the goal consumer’s window.
Rounding off the patch is a session fixation vulnerability (CVE-2022-31689, CVSS rating: 4.2) that VMware stated is the results of improper dealing with of session tokens, including “a malicious actor who obtains a sound session token could possibly authenticate to the applying utilizing that token.”
Security researchers Jasper Westerman, Jan van der Put, Yanick de Pater, and Harm Blankers of Netherlands-based Reqon have been credited with discovering and reporting the failings.
All the problems affect variations 21.x and 22.x of VMware Workspace ONE Assist and have been mounted in model 22.10. The firm additionally stated there are not any workarounds that tackle the weaknesses.