CVE-2021-22002 Information

Description

VMware Workspace ONE Access and Identity Manager allow the /cfg web app and diagnostic endpoints on port 8443 to be accessed via port 443 using a custom host header. A malicious actor with network access to port 443 could tamper with host headers to facilitate access to the /cfg web app in addition a malicious actor could access /cfg diagnostic endpoints without authentication.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.vmware.com/security/advisories/VMSA-2021-0016.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8