20 matches found
CVE-2022-22954
CVE-2022-22954 is a server-side template injection (SSTI) leading to remote code execution in VMware Workspace ONE Access and VMware Identity Manager. The vulnerability allows an attacker with network access to trigger SSTI in Freemarker templates, potentially compromising the underlying system. ...
CVE-2022-22960
CVE-2022-22960 is a VMware privilege-escalation vulnerability in Workspace ONE Access, Identity Manager, and vRealize Automation caused by improper permissions in support scripts. A local attacker can escalate to root on affected systems. Technical details indicate affected products include VMwar...
CVE-2022-22955
CVE-2022-22955 and CVE-2022-22956 affect VMware Workspace ONE Access via the OAuth2 ACS framework. The issues are authentication bypass vulnerabilities that allow a remote attacker to bypass authentication and perform operations due to exposed endpoints. Technical context in connected docs confir...
CVE-2022-22972
CVE-2022-22972 is an authentication bypass affecting VMware Workspace ONE Access, Identity Manager, and vRealize Automation. A malicious actor with network access to the UI could obtain administrative access without authentication. Public materials (CVEs, vendor advisories) confirm affected produ...
CVE-2022-22957
Summary (CVE-2022-22957 / CVE-2022-22958): VMware Workspace ONE Access, Identity Manager and vRealize Automation are affected by remote code execution vulnerabilities. The root cause is deserialization of untrusted data via a malicious JDBC URI in the DBConnectionCheckController (CVE-2022-22957) ...
CVE-2022-22956
CVE-2022-22956 affects VMware Workspace ONE Access. The vulnerability is an authentication bypass in the OAuth2 ACS/OAuth2TokenResourceController layer, created by exposed endpoints that let a remote attacker bypass authentication and perform operations. It is part of a duo with CVE-2022-22955. T...
CVE-2023-20855
CVE-2023-20855 is an XXE vulnerability in VMware vRealize Orchestrator (affecting vRealize Orchestrator and related products such as vRealize Automation and Cloud Foundation). The root cause is an XML External Entity processing issue that allows a non-administrative user to craft input bypassing ...
CVE-2022-22959
CVE-2022-22959 affects VMware Workspace ONE Access, VMware Identity Manager, and vRealize Automation. The vulnerability is a Cross-Site Request Forgery (CSRF) that can trick a logged-in user into unknowingly validating a malicious JDBC URI, as described in the VMSA-2022-0011 advisory. This mode s...
CVE-2022-22961
CVE-2022-22961 affects VMware products including Workspace ONE Access, Identity Manager and vRealize Automation. The issue is an information-disclosure fault caused by returning excess data, enabling a remote attacker to leak the target’s hostname. The vulnerability is exploitable remotely and co...
CVE-2022-22958
CVE-2022-22958 is part of a pair of remote code execution vulnerabilities affecting VMware Workspace ONE Access, Identity Manager and vRealize Automation. Public details in the connected docs confirm two RCE vulnerabilities (CVE-2022-22957 and CVE-2022-22958) that can be triggered by an attacker ...
CVE-2021-22036
CVE-2021-22036 affects VMware vRealize Orchestrator 8.x before 8.6. The open redirect arises from improper path handling, enabling an attacker to redirect victims to an attacker‑controlled domain and potentially disclose sensitive information. Affected product versions: vRealize Orchestrator 8.x ...
CVE-2016-5335
CVE-2016-5335 affects VMware Identity Manager 2.x before 2.7 and vRealize Automation 7.0.x before 7.1. The issue is a local privilege escalation via unspecified vectors, allowing a low-privileged user to obtain root. VMware issued VMSA-2016-0013 and provided patches: Identity Manager 2.7 and vRea...
CVE-2016-7460
CVE-2016-7460 refers to an XML External Entity (XXE) vulnerability in the Single Sign-On feature of VMware products. Affects vCenter Server 5.5 before U3e and 6.0 before U2a, and vRealize Automation 6.x before 6.2.5. A specially crafted XML document containing an external entity declaration and a...
CVE-2021-22056
CVE-2021-22056 is an SSRF vulnerability affecting VMware Workspace ONE Access (versions 21.08, 20.10.0.1, 20.10) and VMware Identity Manager (3.3.5, 3.3.4, 3.3.3). A malicious actor with network access could make HTTP requests to arbitrary origins and read the full response. Red Hat and CVE recor...
CVE-2017-4947
CVE-2017-4947 describes a deserialization vulnerability via Xenon in VMware vRealize Automation (vRA) 7.2/7.3 and VIC 1.x before 1.3, allowing remote code execution on the appliance. Connected documents confirm the affected products/versions and cite mitigation via patches: vRA 7.2/7.3 require up...
CVE-2018-6959
CVE-2018-6959 affects VMware vRealize Automation (vRA) prior to 7.4.0, with a vulnerability in handling of session IDs that may allow hijacking a valid vRA user session. The Nessus/NVE and VMware advisory entries show affected versions up to 7.3.x (7.0.x–7.3.x) and indicate remediation via update...
CVE-2018-6958
Summary: CVE-2018-6958 affects VMware vRealize Automation (vRA) before 7.3.1, via a DOM-based XSS vulnerability that may lead to a compromised vRA user workstation. Affected versions: vRA 7.0.x, 7.1.x, 7.2.x, and 7.3.x before 7.3.1. Root cause: DOM-based XSS in the vRA interface. Impact: potentia...
CVE-2015-2344
VMware vRealize Automation 6.x is affected by a stored XSS vulnerability (CVE-2015-2344) in which improper input validation allows injected scripts via unspecified vectors. The issue affects 6.x releases prior to 6.2.4 on Linux and can be triggered by a crafted request, potentially compromising a...
CVE-2016-5334
CVE-2016-5334 affects VMware Identity Manager 2.x < 2.7.1 and vRealize Automation 7.x
CVE-2016-5336
CVE-2016-5336 affects VMware vRealize Automation 7.0.x before 7.1. A remote attacker could execute arbitrary code on the appliance; exploitation is possible without authentication per sources, potentially yielding access to a low-privileged account. The issue is discussed alongside CVE-2016-5335 ...