CVE-2022-31656
Published: 05 August 2022
Summary
CVE-2022-31656 is a critical-severity an unspecified weakness vulnerability in Vmware Identity Manager Connector. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
VMware Workspace ONE Access, Identity Manager, and vRealize Automation contain an authentication bypass vulnerability that affects local domain users. The flaw permits a malicious actor with network access to the product UI to reach administrative functionality without presenting credentials, as reflected in its CVSS 3.1 score of 9.8.
An unauthenticated attacker reachable to the affected web interface can therefore obtain full administrative control over the impacted VMware components. The issue was disclosed on 5 August 2022.
The vendor advisory VMSA-2022-0021 at https://www.vmware.com/security/advisories/VMSA-2022-0021.html supplies the official mitigation guidance and patch information. The associated EPSS score has remained elevated, with a recorded peak of 0.8447 and a current value of 0.8047.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-53090
Vulnerability details
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.