Skip to the content.

DIVD-2022-00025 - VMware - CVE-2022-22954

Our reference DIVD-2022-00025
Case lead Victor Pasman
Researcher(s)
CVE(s)
Product VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware vRealize Automation (vRA), VMware Cloud Foundation, vRealize Suite Lifecycle Manager
Versions versions prior to 20.10.0.1, 20.10.0.0
Recommendation If you receive an email from DIVD referring to this case, the vulnerability has been confirmed. You should update the application to the newest versions 20.10.0.1, 20.10.0.0.
Patch status Available
Status Open
Last modified 08 Dec 2022 16:28

Summary

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

What you can do

What we are doing

Timeline

Date Description
12 Apr 2022 DIVD starts investigating the scope and impact of the vulnerability.
13 Apr 2022 First version of this case file.
13 Apr 2022 First batch of notifications sent
15 May 2022 Second batch of notifications sent
24 Jun 2022 Third batch of notifications sent
28 Jul 2022 Fourth batch of notifications sent
gantt title DIVD-2022-00025 - VMware - CVE-2022-22954 dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00025 - VMware - CVE-2022-22954 (still open) :2022-04-12, 2022-12-15 section Events DIVD starts investigating the scope and impact of the vulnerability. : milestone, 2022-04-12, 0d First version of this case file. : milestone, 2022-04-13, 0d First batch of notifications sent : milestone, 2022-04-13, 0d Second batch of notifications sent : milestone, 2022-05-15, 0d Third batch of notifications sent : milestone, 2022-06-24, 0d Fourth batch of notifications sent : milestone, 2022-07-28, 0d

More information