CVE-2022-22955

CRITICAL

VMware Workspace ONE Access - Authentication Bypass via OAuth2 ACS Framework

Title source: llm
STIX 2.1

Description

VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework.

References (1)

Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://www.vmware.com/security/advisories/VMSA-2022-0011.html

Scores

CVSS v3 9.8
EPSS 0.7011
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (10)
vmware/identity_manager 3.3.3
vmware/identity_manager 3.3.4
vmware/identity_manager 3.3.5
vmware/identity_manager 3.3.6
vmware/vrealize_automation 7.6
vmware/vrealize_automation 8.0 - 9.0
vmware/workspace_one_access 20.10.0.0
vmware/workspace_one_access 20.10.0.1
vmware/workspace_one_access 21.08.0.0
vmware/workspace_one_access 21.08.0.1
Published Apr 13, 2022
Tracked Since Feb 18, 2026