VMSA-2023-0011:VMware Workspace ONE Access and Identity Manager update addresses an Insecure Redirect Vulnerability.
1. Impacted Products
VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware Cloud Foundation (Cloud Foundation)
2. Introduction
An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
3a. Insecure Redirect Vulnerability (CVE-2023-20884)
Description
VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.
Known Attack Vectors
An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.
Resolution
To remediate CVE-2023-20884 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Hari Namburi of Wells Fargo for reporting this vulnerability to us.
Response Matrix
| Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
| Workspace ONE Access | 22.09.1.0 | Linux | CVE-2023-20884 | moderate | None | None | ||
| Workspace ONE Access | 22.09.0.0 | Linux | CVE-2023-20884 | moderate | None | None | ||
| Workspace ONE Access | 21.08.x | Linux | CVE-2023-20884 | moderate | None | None | ||
| Workspace ONE Access Connector | All | Windows | CVE-2023-20884 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Identity Manager (vIDM) | 3.3.7 | Linux | CVE-2023-20884 | moderate | None | None | ||
| VMware Identity Manager (vIDM) | 3.3.6 | Linux | CVE-2023-20884 | moderate | None | None | ||
| VMware Identity Manager (vIDM) Connector | All | Windows | CVE-2023-20884 | N/A | N/A | Unaffected | N/A | N/A |
| VMware Cloud Foundation (vIDM) | Any | Any | CVE-2023-20884 | moderate | None | None |
4. References
VMware Workspace ONE Access 22.09.1.0 KB92512
VMware Identity Manager (vIDM) KB92512
VMware Cloud Foundation (vIDM) KB92512
Mitre CVE Dictionary Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20884
FIRST CVSSv3 Calculator:
CVE-2023-20884: 6.1 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
5. Change Log
2023-05-30: VMSA-2023-0011
Initial security advisory.
6. Contact
E-mail: [email protected]
PGP key at:
https://kb.vmware.com/kb/1055
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Twitter
https://twitter.com/VMwareSRC
Copyright 2023 VMware Inc. All rights reserved.