7.8

CVE-2022-22960

Warning
Exploit

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts. A malicious actor with local access can escalate privileges to 'root'.

Data is provided by the National Vulnerability Database (NVD)
VMwareCloud Foundation Version >= 3.0 < 5.0
   LinuxLinux Kernel Version-
VMwareIdentity Manager Version3.3.3
   LinuxLinux Kernel Version-
VMwareIdentity Manager Version3.3.4
   LinuxLinux Kernel Version-
VMwareIdentity Manager Version3.3.5
   LinuxLinux Kernel Version-
VMwareIdentity Manager Version3.3.6
   LinuxLinux Kernel Version-
VMwareVrealize Automation Version >= 8.0 < 9.0
   LinuxLinux Kernel Version-
VMwareVrealize Automation Version7.6
   LinuxLinux Kernel Version-
VMwareVrealize Suite Lifecycle Manager Version >= 8.0 < 9.0
   LinuxLinux Kernel Version-
VMwareWorkspace One Access Version20.10.0.0
   LinuxLinux Kernel Version-
VMwareWorkspace One Access Version20.10.0.1
   LinuxLinux Kernel Version-
VMwareWorkspace One Access Version21.08.0.0
   LinuxLinux Kernel Version-
VMwareWorkspace One Access Version21.08.0.1
   LinuxLinux Kernel Version-

15.04.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware Multiple Products Privilege Escalation Vulnerability

Vulnerability

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a privilege escalation vulnerability due to improper permissions in support scripts.

Description

Apply updates per vendor instructions.

Required actions
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 72.72% 0.987
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.2 3.9 10
AV:L/AC:L/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.8 1.8 5.9
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.