VMware Workspace One Assist Multiple Vulnerabilities (VMSA-2022-0028)

critical Nessus Plugin ID 167615

Language:

Synopsis

The VMWare Workspace One Assist server running on the remote host is affected by multiple vulnerabilities.

Description

The VMware Workspace One Assist server running on the remote host is affected multiple vulnerabilities, including the following:

 - VMware Workspace ONE Assist prior to 22.10 contains an Authentication Bypass vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application. (CVE-2022-31685)

 - VMware Workspace ONE Assist prior to 22.10 contains a Broken Authentication Method vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application. (CVE-2022-31686)

 - VMware Workspace ONE Assist prior to 22.10 contains a Broken Access Control vulnerability. A malicious actor with network access to Workspace ONE Assist may be able to obtain administrative access without the need to authenticate to the application. (CVE-2022-31687)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version.

Solution

Upgrade to version 22.10 as per the VMSA-2022-0028 advisory.

See Also

https://www.vmware.com/security/advisories/VMSA-2022-0028.html

Plugin Details

Severity: Critical

ID: 167615

File Name: vmware_workspace_one_assist_VMSA-2022-0028.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 11/16/2022

Updated: 11/17/2022

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-31685

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-31689

Vulnerability Information

CPE: x-cpe:/a:vmware:workspace_one_assist

Required KB Items: installed_sw/VMware Workspace ONE Assist

Exploit Ease: No known exploits are available

Patch Publication Date: 11/8/2022

Vulnerability Publication Date: 11/8/2022

Reference Information

CVE: CVE-2022-31685, CVE-2022-31686, CVE-2022-31687, CVE-2022-31688, CVE-2022-31689

VMSA: VMSA-2022-0028

IAVA: 2022-A-0483