CVE-2022-31657 - OpenCVE

VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Microsoft	Windows
Vmware	One Access Identity Manager Connector Identity Manager Access Connector
Linux	Linux Kernel

Configuration 1 [-]

AND

OR	cpe:2.3:a:vmware:identity_manager:3.3.4:::::::*
	cpe:2.3:a:vmware:identity_manager:3.3.5:::::::*
	cpe:2.3:a:vmware:identity_manager:3.3.6:::::::*
	cpe:2.3:a:vmware:one_access:21.08.0.0:::::::*
	cpe:2.3:a:vmware:one_access:21.08.0.1:::::::*

cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

OR	cpe:2.3:a:vmware:access_connector:21.08.0.0:::::::*
	cpe:2.3:a:vmware:access_connector:21.08.0.1:::::::*
	cpe:2.3:a:vmware:access_connector:22.05:::::::*
	cpe:2.3:a:vmware:identity_manager_connector:3.3.4:::::::*
	cpe:2.3:a:vmware:identity_manager_connector:3.3.5:::::::*
	cpe:2.3:a:vmware:identity_manager_connector:3.3.6:::::::*
	cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:::::::*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

References

Link	Resource
https://www.vmware.com/security/advisories/VMSA-2022-0021.html	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: vmware

Published: 2022-08-05T15:07:39

Updated: 2022-08-05T15:07:39

Reserved: 2022-05-25T00:00:00

Link: CVE-2022-31657

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-05T16:15:12.653

Modified: 2023-08-08T14:21:49.707

Link: CVE-2022-31657

JSON object: View

Redhat Information

No data.

CWE

CWE-601

{"containers": {"cna": {"affected": [{"product": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", "vendor": "n/a", "versions": [{"status": "affected", "version": "Workspace One Access (21.08.0.1 & 21.08.0.0), Identity Manager (vIDM) (3.3.6, 3.3.5 & 3.3.4), and vRealize Automation 7.6"}]}], "descriptions": [{"lang": "en", "value": "VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain."}], "problemTypes": [{"descriptions": [{"description": "VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-05T15:07:39", "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.vmware.com/security/advisories/VMSA-2022-0021.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "ID": "CVE-2022-31657", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "VMware Workspace ONE Access, Identity Manager and vRealize Automation", "version": {"version_data": [{"version_value": "Workspace One Access (21.08.0.1 & 21.08.0.0), Identity Manager (vIDM) (3.3.6, 3.3.5 & 3.3.4), and vRealize Automation 7.6"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability"}]}]}, "references": {"reference_data": [{"name": "https://www.vmware.com/security/advisories/VMSA-2022-0021.html", "refsource": "MISC", "url": "https://www.vmware.com/security/advisories/VMSA-2022-0021.html"}]}}}}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2022-31657", "datePublished": "2022-08-05T15:07:39", "dateReserved": "2022-05-25T00:00:00", "dateUpdated": "2022-08-05T15:07:39", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:identity_manager:3.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "0E93CB5E-CB4A-474A-9901-2E098928C489", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager:3.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "2A215A7D-F644-41DE-AB4E-69145DA48F9F", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager:3.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "5EBB8190-2101-4EE5-844E-B46E7FB78FD7", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:one_access:21.08.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "8189EEC2-261B-4095-B4AD-9094CEAB41C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:one_access:21.08.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "E3478B3B-AB6D-4D8F-BB82-E0AC211B0D77", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:access_connector:21.08.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "5742FBFE-0E10-4758-BDE0-230F26DFF425", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:access_connector:21.08.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "03FEA521-8812-47F0-96FC-C0DD93D5C5F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:access_connector:22.05:*:*:*:*:*:*:*", "matchCriteriaId": "B9167129-35D9-47FA-B442-F44108356FE4", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager_connector:3.3.4:*:*:*:*:*:*:*", "matchCriteriaId": "BC3385CD-5F3E-4076-89A8-37F61FE41270", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager_connector:3.3.5:*:*:*:*:*:*:*", "matchCriteriaId": "A2D301BA-B4AA-4DCF-A91E-B03AE5E95AAE", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager_connector:3.3.6:*:*:*:*:*:*:*", "matchCriteriaId": "004A7497-2D06-4D8D-9C82-C0D774101326", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:identity_manager_connector:19.03.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "99AA692E-48AB-4813-809C-970CA1BC6AF6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "VMware Workspace ONE Access and Identity Manager contain a URL injection vulnerability. A malicious actor with network access may be able to redirect an authenticated user to an arbitrary domain."}, {"lang": "es", "value": "VMware Workspace ONE Access y Identity Manager contienen una vulnerabilidad de inyecci\u00f3n de URL. Un actor malicioso con acceso a la red puede ser capaz de redirigir a un usuario autenticado a un dominio arbitrario"}], "id": "CVE-2022-31657", "lastModified": "2023-08-08T14:21:49.707", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-05T16:15:12.653", "references": [{"source": "security@vmware.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.vmware.com/security/advisories/VMSA-2022-0021.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "nvd@nist.gov", "type": "Primary"}]}