Lucene search

[email protected]CVE-2021-22002

HistoryAug 31, 2021 - 10:15 p.m.

CVE-2021-22002

2021-08-3122:15:00

CWE-287

[email protected]

web.nvd.nist.gov

cve

2021

22002

vmware workspace one

access

identity manager

web app

diagnostic endpoints

port 8443

port 443

host header

tampering

authentication

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.2%

JSON

VMware Workspace ONE Access and Identity Manager, allow the /cfg web app and diagnostic endpoints, on port 8443, to be accessed via port 443 using a custom host header. A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app, in addition a malicious actor could access /cfg diagnostic endpoints without authentication.

CPENameOperatorVersion
vmware:identity_managervmware identity managereq3.3.2
vmware:identity_managervmware identity managereq3.3.3
vmware:identity_managervmware identity managereq3.3.4
vmware:identity_managervmware identity managereq3.3.5
vmware:workspace_one_accessvmware workspace one accesseq20.01
vmware:workspace_one_accessvmware workspace one accesseq20.10
vmware:workspace_one_accessvmware workspace one accesseq20.10.01
vmware:cloud_foundationvmware cloud foundationeq4.0
vmware:cloud_foundationvmware cloud foundationeq4.0.1
vmware:vrealize_suite_lifecycle_managervmware vrealize suite lifecycle managereq8.0

CPE	Name	Operator	Version
vmware:identity_manager	vmware identity manager	eq	3.3.2
vmware:identity_manager	vmware identity manager	eq	3.3.3
vmware:identity_manager	vmware identity manager	eq	3.3.4
vmware:identity_manager	vmware identity manager	eq	3.3.5
vmware:workspace_one_access	vmware workspace one access	eq	20.01
vmware:workspace_one_access	vmware workspace one access	eq	20.10
vmware:workspace_one_access	vmware workspace one access	eq	20.10.01
vmware:cloud_foundation	vmware cloud foundation	eq	4.0
vmware:cloud_foundation	vmware cloud foundation	eq	4.0.1
vmware:vrealize_suite_lifecycle_manager	vmware vrealize suite lifecycle manager	eq	8.0

Rows per page:

1-10 of 161

References

www.vmware.com/security/advisories/VMSA-2021-0016.html

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

AI Score

Confidence

High

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.2%

JSON

Related for CVE-2021-22002

cvelist1 osv1 prion1 vmware1 thn1 nessus1