VMware Workspace One Access / VMware Identity Manager Multiple Vulnerabilities (VMSA-2022-0011)

critical Nessus Plugin ID 159548


An identity store broker application running on the remote host is affected by multiple vulnerabilities.


The VMware Workspace One Access (formerly VMware Identity Manager) application running on the remote host is affected by the following vulnerabilities:

- Server-side Template Injection Remote Code Execution Vulnerability (CVE-2022-22954)
- OAuth2 ACS Authentication Bypass Vulnerabilities (CVE-2022-22955, CVE-2022-22956)
- JDBC Injection Remote Code Execution Vulnerabilities (CVE-2022-22957, CVE-2022-22958)
- Cross Site Request Forgery Vulnerability (CVE-2022-22959)
- Local Privilege Escalation Vulnerability (CVE-2022-22960)
- Information Disclosure Vulnerability (CVE-2022-22961)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version.


Apply the HW-154129 hotfix to VMware Workspace One Access / VMware Identity Manager as per the VMSA-2022-0011 advisory.

See Also



Plugin Details

Severity: Critical

ID: 159548

File Name: vmware_workspace_one_access_VMSA-2022-0011.nasl

Version: 1.7

Type: remote

Family: CGI abuses

Published: 4/6/2022

Updated: 12/5/2022

Risk Information


Risk Factor: Critical

Score: 9.5


Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2022-22954


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

CVSS Score Source: CVE-2022-22956

Vulnerability Information

CPE: cpe:/a:vmware:workspace_one_access, cpe:/a:vmware:identity_manager

Required KB Items: installed_sw/VMware Workspace ONE Access

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/6/2022

Vulnerability Publication Date: 4/6/2022

CISA Known Exploited Dates: 5/5/2022, 5/6/2022

Exploitable With

Metasploit (VMware Workspace ONE Access CVE-2022-22954)

Reference Information

CVE: CVE-2022-22954, CVE-2022-22955, CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961

VMSA: 2022-0011

IAVA: 2022-A-0136-S

CEA-ID: CEA-2022-0012