CVE-2022-22958

HIGH

Vmware Cloud Foundation < 5.0 - Insecure Deserialization

Title source: rule

Description

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain two remote code execution vulnerabilities (CVE-2022-22957 & CVE-2022-22958). A malicious actor with administrative access can trigger deserialization of untrusted data through malicious JDBC URI which may result in remote code execution.

References (1)

[Patch, Vendor Advisory] https://www.vmware.com/security/advisories/VMSA-2022-0011.html

Scores

CVSS v3 7.2

EPSS 0.0302

EPSS Percentile 86.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (12)

vmware/cloud_foundation < 5.0

vmware/identity_manager

vmware/vrealize_automation < 9.0

vmware/vrealize_automation

vmware/vrealize_suite_lifecycle_manager < 9.0

vmware/workspace_one_access

Timeline

Published Apr 13, 2022

Tracked Since Feb 18, 2026