dark
2K
3K
2K
Hand-Picked Top-Read Stories
Trending Tags
403 views
2 minute read

VMSA-2023-0011

James Dean
31 May 2023
vmware logo header
Total
0
Shares
0
0
0
0
0
0
0
0

Moderate


VMSA-2023-0011

6.1

2023-05-30

2023-05-30 (Initial Advisory)

CVE-2023-20884

VMware Workspace ONE Access and Identity Manager update addresses an Insecure Redirect Vulnerability. (CVE-2023-20884)

1. Impacted Products



VMware Workspace ONE Access (Access)

VMware Identity Manager (vIDM)

VMware Cloud Foundation (Cloud Foundation)

2. Introduction



An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3a. Insecure Redirect Vulnerability (CVE-2023-20884)

Description



VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.

Known Attack Vectors



An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.

Resolution



To remediate CVE-2023-20884 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

Workarounds



None.

Additional Documentation



None.

Notes



None.

Acknowledgements



VMware would like to thank Hari Namburi of Wells Fargo for reporting this vulnerability to us.

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Workspace ONE Access
22.09.1.0
Linux
CVE-2023-20884
6.1
moderate

KB92512
None
None
Workspace ONE Access
22.09.0.0
Linux
CVE-2023-20884
6.1
moderate

22.09.1.0
None
None
Workspace ONE Access
21.08.x
Linux
CVE-2023-20884
6.1
moderate

22.09.1.0
None
None
Workspace ONE Access Connector
All
Windows
CVE-2023-20884
N/A
N/A

Unaffected
N/A
N/A
VMware Identity Manager (vIDM)
3.3.7
Linux
CVE-2023-20884
6.1
moderate

KB92512
None
None
VMware Identity Manager (vIDM)
3.3.6
Linux
CVE-2023-20884
6.1
moderate

3.3.7
None
None
VMware Identity Manager (vIDM) Connector
All
Windows
CVE-2023-20884
N/A
N/A

Unaffected
N/A
N/A
VMware Cloud Foundation (vIDM)
Any
Any
CVE-2023-20884
6.1
moderate

KB92512
None
None

4. References



VMware Workspace ONE Access 22.09.1.0 KB92512
VMware Identity Manager (vIDM) KB92512

VMware Cloud Foundation (vIDM) KB92512

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20884

FIRST CVSSv3 Calculator:
CVE-2023-20884: 6.1 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5. Change Log



2023-05-30: VMSA-2023-0011
Initial security advisory.

6. Contact



E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

 

Copyright 2023 VMware Inc. All rights reserved.

 

Read full article (vmware.com)

All content and images belong to their respected owners, this article is curated for informational purposes only.

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Share 0
Share 0
Share 0
Share 0
Share 0
Leave a Reply
Previous Post
citrix logo header

How to Add Machine to Existed Machine Catalog and Delivery Group using PowerShell

byJames Dean
30 May 2023
Next Post
citrix logo header

ShareFile for Outlook – Messages incorrectly marked as spam.

byJames Dean
1 June 2023
Related Posts