Cyber Resilience

CVE-2022-31656

Critical

Published: 05 August 2022

Published
05 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8047 99.2th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-31656 is a critical-severity an unspecified weakness vulnerability in Vmware Identity Manager Connector. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability that affects local domain users. The flaw permits a malicious actor with network access to the product UI to reach administrative functionality without presenting credentials, as reflected in its CVSS 3.1 score of 9.8.

An unauthenticated attacker reachable to the affected web interface can therefore obtain full administrative control over the impacted VMware components. The issue was disclosed on 5 August 2022.

The vendor advisory VMSA-2022-0021 at https://www.vmware.com/security/advisories/VMSA-2022-0021.html supplies the official mitigation guidance and patch information. The associated EPSS score has remained elevated, with a recorded peak of 0.8447 and a current value of 0.8047.

EU & UK References

Vulnerability details

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

vmware
identity manager
3.3.4, 3.3.5, 3.3.6
vmware
one access
21.08.0.0, 21.08.0.1
vmware
access connector
21.08.0.0, 21.08.0.1, 22.05
vmware
identity manager connector
19.03.0.1, 3.3.4, 3.3.5, 3.3.6

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References