Headline
CVE-2023-20886: VMSA-2023-0025
VMware Workspace ONE UEM console contains an open redirect vulnerability.
A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.
Advisory ID: VMSA-2023-0025
CVSSv3 Range: 8.8
Issue Date: 2023-10-31
Updated On: 2023-10-31 (Initial Advisory)
CVE(s): CVE-2023-20886
Synopsis: VMware Workspace ONE UEM console updates address an open redirect vulnerability (CVE-2023-20886)
****1. Impacted Products****
- VMware Workspace ONE UEM console
****2. Introduction****
An open redirect vulnerability in VMware Workspace ONE UEM console was responsibly reported to VMware. Updates are available to remediate this vulnerability in affected VMware products.
****3. Advisory Details****
VMware Workspace ONE UEM console contains an open redirect vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.
A malicious actor may be able to redirect a victim to an attacker and retrieve their SAML response to login as the victim user.
To remediate CVE-2023-20886 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
VMware would like to thank D’Angelo Gonzalez of Crowdstrike for reporting this issue to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
Workspace ONE UEM
2306
Any
CVE-2023-20886
N/A
N/A
Unaffected
N/A
N/A
Workspace ONE UEM
2302
Any
CVE-2023-20886
8.8
important
23.2.0.10
None
None
Workspace ONE UEM
2212
Any
CVE-2023-20886
8.8
important
22.12.0.20
None
None
Workspace ONE UEM
2209
Any
CVE-2023-20886
8.8
important
22.9.0.29
None
None
Workspace ONE UEM
2206
Any
CVE-2023-20886
8.8
important
22.6.0.36
None
None
Workspace ONE UEM
2203
Any
CVE-2023-20886
8.8
important
22.3.0.48
None
None
****4. References****
****5. Change Log****
**2023-10-31: VMSA-2023-0025
**Initial security advisory.
****6. Contact****