Executive Summary
Summary | |
---|---|
Title | VMware Workspace ONE Access and related components are vulnerable to command injection |
Informations | |||
---|---|---|---|
Name | VU#724367 | First vendor Publication | 2020-11-23 |
Vendor | VU-CERT | Last vendor Modification | 2020-12-08 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H | |||
---|---|---|---|
Overall CVSS Score | 9.1 | ||
Base Score | 9.1 | Environmental Score | 9.1 |
impact SubScore | 6 | Temporal Score | 9.1 |
Exploitabality Sub Score | 2.3 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | High | User Interaction | None |
Scope | Changed | Confidentiality Impact | High |
Integrity Impact | High | Availability Impact | High |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewVMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker to execute commands with unrestricted privileges on the underlying operating system. DescriptionVMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector are vulnerable to command injection in the administrative configurator. This could allow a remote attacker with access to the administrative configurator on port 8443 and a valid password to execute commands with unrestricted privileges on the underlying operating system. For additional details, please see VMSA-2020-0027 and CVE-2020-4006. ImpactThis could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system. Active exploitation of this vulnerability has been reported. SolutionVMware has released updates as described in VMSA-2020-0027. WorkaroundsVMware has documented workarounds in VMSA-2020-0027. AcknowledgementsThanks to VMware for coordinating this vulnerability. This document was written by Madison Oliver. |
Original Source
Url : https://kb.cert.org/vuls/id/724367 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 3 | |
Application | 3 | |
Application | 2 |
Alert History
Date | Informations |
---|---|
2021-04-09 21:18:04 |
|
2020-12-08 17:17:32 |
|
2020-12-07 21:17:58 |
|
2020-12-04 00:17:31 |
|
2020-11-23 21:17:55 |
|