CVE-2020-4006 - OpenCVE

VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:S/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Vmware	One Access Identity Manager Connector Identity Manager Cloud Foundation Vrealize Suite Lifecycle Manager
Linux	Linux Kernel

Configuration 1 [-]

AND

OR	cpe:2.3:a:vmware:identity_manager:3.3.1:::::::*
	cpe:2.3:a:vmware:identity_manager:3.3.2:::::::*
	cpe:2.3:a:vmware:identity_manager:3.3.3:::::::*
	cpe:2.3:a:vmware:identity_manager_connector:3.3.1:::::::*
	cpe:2.3:a:vmware:identity_manager_connector:3.3.2:::::::*
	cpe:2.3:a:vmware:one_access:20.01:::::::*
	cpe:2.3:a:vmware:one_access:20.10:::::::*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:vmware:identity_manager_connector:3.3.1:::::::*
	cpe:2.3:a:vmware:identity_manager_connector:3.3.2:::::::*
	cpe:2.3:a:vmware:identity_manager_connector:3.3.3:::::::*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:a:vmware:cloud_foundation:4.0:::::::*
	cpe:2.3:a:vmware:cloud_foundation:4.0.1:::::::*
	cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager::::::::

References

Link	Resource
https://www.vmware.com/security/advisories/VMSA-2020-0027.html	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: vmware

Published: 2020-11-23T21:22:40

Updated: 2020-11-23T21:22:40

Reserved: 2019-12-30T00:00:00

Link: CVE-2020-4006

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-11-23T22:15:12.663

Modified: 2021-07-21T11:39:23.747

Link: CVE-2020-4006

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"containers": {"cna": {"affected": [{"product": "VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, vRealize Suite Lifecycle Manager", "vendor": "n/a", "versions": [{"status": "affected", "version": "Multiple"}]}], "descriptions": [{"lang": "en", "value": "VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability."}], "problemTypes": [{"descriptions": [{"description": "Command Injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-23T21:22:40", "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.vmware.com/security/advisories/VMSA-2020-0027.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "ID": "CVE-2020-4006", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "VMware Workspace One Access (Access), VMware Workspace One Access Connector (Access Connector), VMware Identity Manager (vIDM), VMware Identity Manager Connector (vIDM Connector), VMware Cloud Foundation, vRealize Suite Lifecycle Manager", "version": {"version_data": [{"version_value": "Multiple"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Command Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.vmware.com/security/advisories/VMSA-2020-0027.html", "refsource": "MISC", "url": "https://www.vmware.com/security/advisories/VMSA-2020-0027.html"}]}}}}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2020-4006", "datePublished": "2020-11-23T21:22:40", "dateReserved": "2019-12-30T00:00:00", "dateUpdated": "2020-11-23T21:22:40", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"cisaActionDue": "2022-05-03", "cisaExploitAdd": "2021-11-03", "cisaRequiredAction": "Apply updates per vendor instructions.", "cisaVulnerabilityName": "Multiple VMware Products Command Injection Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:identity_manager:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "E7DAA017-7535-47D6-A4C7-59F69ED0F43F", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "22BC2D96-5922-4995-B006-1BAB5FE51D93", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "97D98937-489B-4AA5-B99E-9AB639C582CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager_connector:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "4CFFC72D-0068-49D0-B816-706CC2A2389C", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager_connector:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "EE9DF6CB-58CF-49BE-B61C-F5115B333E81", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:one_access:20.01:*:*:*:*:*:*:*", "matchCriteriaId": "1A251628-E02A-42B2-85E4-71C2B6F09BF3", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:one_access:20.10:*:*:*:*:*:*:*", "matchCriteriaId": "D86477D5-C441-490C-A9D3-9CDE47542191", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:identity_manager_connector:3.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "4CFFC72D-0068-49D0-B816-706CC2A2389C", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager_connector:3.3.2:*:*:*:*:*:*:*", "matchCriteriaId": "EE9DF6CB-58CF-49BE-B61C-F5115B333E81", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager_connector:3.3.3:*:*:*:*:*:*:*", "matchCriteriaId": "1D035B36-3D87-494F-B147-6D03F2B1A375", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "38EB0C0C-56CF-4A8F-A36F-E0E180B9059E", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "A54544F5-5929-4609-A91C-FCA0FDBFE862", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "E4767C7D-8165-43A6-8F16-12F8EE65FDFB", "versionEndIncluding": "8.2", "versionStartIncluding": "8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector address have a command injection vulnerability."}, {"lang": "es", "value": "VMware Workspace One Access, Access Connector, Identity Manager e Identity Manager Connector abordan una vulnerabilidad de inyecci\u00f3n de comandos"}], "id": "CVE-2020-4006", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-11-23T22:15:12.663", "references": [{"source": "security@vmware.com", "tags": ["Vendor Advisory"], "url": "https://www.vmware.com/security/advisories/VMSA-2020-0027.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}]}