Skip to the content.

DIVD-2022-00025 - VMware - CVE-2022-22954

Our reference DIVD-2022-00025
Case lead Victor Pasman
Researcher(s)
CVE(s)
Product VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager
Versions versions prior to 20.10.0.1, 20.10.0.0
Recommendation If you receive an email from DIVD referring to this case, the vulnerability has been confirmed. You should update the application to the newest versions 20.10.0.1, 20.10.0.0.
Patch status Available
Status Open
Last modified 13 Apr 2022 14:48

Summary

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

What you can do

What we are doing

Timeline

Date Description
12 Apr 2022 DIVD starts investigating the scope and impact of the vulnerability.
13 Apr 2022 First version of this case file.
gantt title DIVD-2022-00025 - VMware - CVE-2022-22954 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00025 - VMware - CVE-2022-22954 (still open) :2022-04-12, 2022-05-23 section Events DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-04-12, 0d First version of this case file. : milestone, 2022-04-13, 0d

More information