VMSA-2023-0011

vmware logo header

Moderate


VMSA-2023-0011

6.1

2023-05-30

2023-05-30 (Initial Advisory)

CVE-2023-20884

VMware Workspace ONE Access and Identity Manager update addresses an Insecure Redirect Vulnerability. (CVE-2023-20884)

1. Impacted Products



VMware Workspace ONE Access (Access)

VMware Identity Manager (vIDM)

VMware Cloud Foundation (Cloud Foundation)

2. Introduction



An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3a. Insecure Redirect Vulnerability (CVE-2023-20884)

Description



VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.

Known Attack Vectors



An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.

Resolution



To remediate CVE-2023-20884 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.

Workarounds



None.

Additional Documentation



None.

Notes



None.

Acknowledgements



VMware would like to thank Hari Namburi of Wells Fargo for reporting this vulnerability to us.

Response Matrix

ProductVersionRunning OnCVE IdentifierCVSSv3SeverityFixed VersionWorkaroundsAdditional Documentation
Workspace ONE Access
22.09.1.0
Linux
CVE-2023-20884
moderate

None
None
Workspace ONE Access
22.09.0.0
Linux
CVE-2023-20884
moderate

None
None
Workspace ONE Access
21.08.x
Linux
CVE-2023-20884
moderate

None
None
Workspace ONE Access Connector
All
Windows
CVE-2023-20884
N/A
N/A

Unaffected
N/A
N/A
VMware Identity Manager (vIDM)
3.3.7
Linux
CVE-2023-20884
moderate

None
None
VMware Identity Manager (vIDM)
3.3.6
Linux
CVE-2023-20884
moderate

None
None
VMware Identity Manager (vIDM) Connector
All
Windows
CVE-2023-20884
N/A
N/A

Unaffected
N/A
N/A
VMware Cloud Foundation (vIDM)
Any
Any
CVE-2023-20884
moderate

None
None

4. References



VMware Workspace ONE Access 22.09.1.0 KB92512
VMware Identity Manager (vIDM) KB92512

VMware Cloud Foundation (vIDM) KB92512

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20884

FIRST CVSSv3 Calculator:
CVE-2023-20884: 6.1 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5. Change Log



2023-05-30: VMSA-2023-0011
Initial security advisory.

6. Contact



E-mail: security@vmware.com

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

 

Copyright 2023 VMware Inc. All rights reserved.

 

Read full article (vmware.com)

All content and images belong to their respected owners, this article is curated for informational purposes only.

Total
0
Shares
Leave a Reply
Previous Post
citrix logo header

How to Add Machine to Existed Machine Catalog and Delivery Group using PowerShell

Next Post
citrix logo header

ShareFile for Outlook – Messages incorrectly marked as spam.

Related Posts