VMware has patched 5 security flaws influencing its Workspace One particular Help remedy, some of which could be exploited to bypass authentication and obtain elevated permissions.
Topping the checklist, are three critical vulnerabilities tracked as CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687. All the shortcomings are rated 9.8 on the CVSS vulnerability scoring technique.
CVE-2022-31685 is an authentication bypass flaw that could be abused by an attacker with network accessibility to VMware Workspace A person Support to receive administrative accessibility without the need of the will need to authenticate to the application.
CVE-2022-31686 has been explained by the virtualization expert services supplier as a “broken authentication approach” vulnerability, and CVE-2022-31687 as a “Broken Access Command” flaw.
“A destructive actor with network obtain may perhaps be in a position to obtain administrative access without the need of the need to have to authenticate to the application,” VMware reported in an advisory for CVE-2022-31686 and CVE-2022-31687.
An additional vulnerability is a case of a reflected cross-web site scripting (XSS) vulnerability (CVE-2022-31688, CVSS rating: 6.4) stemming from poor consumer input sanitization, one thing that could be exploited to inject arbitrary JavaScript code in the goal user’s window.
Rounding off the patch is a session fixation vulnerability (CVE-2022-31689, CVSS rating: 4.2) that VMware reported is the result of incorrect dealing with of session tokens, including “a destructive actor who obtains a legitimate session token may perhaps be able to authenticate to the software utilizing that token.”
Security scientists Jasper Westerman, Jan van der Put, Yanick de Pater, and Harm Blankers of Netherlands-based mostly Reqon have been credited with discovering and reporting the flaws.
All the issues effect versions 21.x and 22.x of VMware Workspace Just one Support and have been fixed in model 22.10. The organization also claimed there are no workarounds that deal with the weaknesses.
Located this write-up attention-grabbing? Adhere to THN on Facebook, Twitter and LinkedIn to read through far more exclusive material we article.
Some parts of this article are sourced from:
thehackernews.com