CVSS: 9.8EPSS: 0%CPEs: 11EXPL: 0CVE-2022-22956 – VMware Workspace ONE Remote Code Execution
https://notcve.org/view.php?id=CVE-2022-22956
VMware Workspace ONE Access has two authentication bypass vulnerabilities (CVE-2022-22955 & CVE-2022-22956) in the OAuth2 ACS framework. A malicious actor may bypass the authentication mechanism and execute any operation due to exposed endpoints in the authentication framework. VMware Workspace ONE Access presenta dos vulnerabilidades de omisión de autenticación (CVE-2022-22955 y CVE-2022-22956) en el marco de OAuth2 ACS. Un actor malicioso puede omitir el mecanismo de autenticación y ejecutar cualquier operación debido a los endpoints expuestos en el marco de autenticación • http://packetstormsecurity.com/files/171918/Mware-Workspace-ONE-Remote-Code-Execution.html http://packetstormsecurity.com/files/171918/VMware-Workspace-ONE-Remote-Code-Execution.html https://www.vmware.com/security/advisories/VMSA-2022-0011.html https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution https://github.com/sourceincite/hekate • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 97%CPEs: 13EXPL: 23CVE-2022-22954 – VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-22954
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. VMware Workspace ONE Access y Identity Manager contienen una vulnerabilidad de ejecución de código remota debido a una inyección de plantillas del lado del servidor. Un actor malicioso con acceso a la red puede desencadenar una inyección de plantillas del lado del servidor que puede resultar en la ejecución de código remota VMware Workspace ONE Access and Identity Manager allow for remote code execution due to server-side template injection. • https://github.com/sherlocksecurity/VMware-CVE-2022-22954 https://github.com/bewhale/CVE-2022-22954 https://github.com/MLX15/CVE-2022-22954 https://github.com/orwagodfather/CVE-2022-22954 https://github.com/jax7sec/CVE-2022-22954 https://github.com/secfb/CVE-2022-22954 https://github.com/tunelko/CVE-2022-22954-PoC https://github.com/bb33bb/CVE-2022-22954-VMware-RCE https://github.com/aniqfakhrul/CVE-2022-22954 https://github.com/b4dboy17/CVE-2022-22954 https://githu • CWE-94: Improper Control of Generation of Code ('Code Injection') •