VMSA-2023-0011:VMware Workspace ONE Access and Identity Manager update addresses an Insecure Redirect Vulnerability.

VMware Tanzu Application Service

0 more products

23673

28 May 2023

28 May 2023

CLOSED

MEDIUM

6.1

CVE-2023-20884

VMSA-2023-0011
6.1
2023-05-30
2023-05-30 (Initial Advisory)
CVE-2023-20884
VMware Workspace ONE Access and Identity Manager update addresses an Insecure Redirect Vulnerability. (CVE-2023-20884)
1. Impacted Products

VMware Workspace ONE Access (Access)

VMware Identity Manager (vIDM)

VMware Cloud Foundation (Cloud Foundation)

2. Introduction

An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.

3a. Insecure Redirect Vulnerability (CVE-2023-20884)

Description

VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.

Known Attack Vectors

An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.

Resolution

To remediate CVE-2023-20884 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.

Workarounds

None.

Additional Documentation

None.

Notes

None.

Acknowledgements

VMware would like to thank Hari Namburi of Wells Fargo for reporting this vulnerability to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
Workspace ONE Access
22.09.1.0
Linux
CVE-2023-20884
moderate
None
None
Workspace ONE Access
22.09.0.0
Linux
CVE-2023-20884
moderate
None
None
Workspace ONE Access
21.08.x
Linux
CVE-2023-20884
moderate
None
None
Workspace ONE Access Connector
All
Windows
CVE-2023-20884
N/A
N/A
Unaffected
N/A
N/A
VMware Identity Manager (vIDM)
3.3.7
Linux
CVE-2023-20884
moderate
None
None
VMware Identity Manager (vIDM)
3.3.6
Linux
CVE-2023-20884
moderate
None
None
VMware Identity Manager (vIDM) Connector
All
Windows
CVE-2023-20884
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (vIDM)
Any
Any
CVE-2023-20884
moderate
None
None
4. References

VMware Workspace ONE Access 22.09.1.0 KB92512
VMware Identity Manager (vIDM) KB92512

VMware Cloud Foundation (vIDM) KB92512

 

Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20884

FIRST CVSSv3 Calculator:
CVE-2023-20884: 6.1 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

5. Change Log

2023-05-30: VMSA-2023-0011
Initial security advisory.

6. Contact

E-mail: [email protected]

PGP key at:
https://kb.vmware.com/kb/1055

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html

VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html

VMware Security & Compliance Blog
https://blogs.vmware.com/security

Twitter
https://twitter.com/VMwareSRC

 

Copyright 2023 VMware Inc. All rights reserved.