Headline
CVE-2023-20884: VMSA-2023-0011
VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.
Advisory ID: VMSA-2023-0011
CVSSv3 Range: 6.1
Issue Date: 2023-05-30
Updated On: 2023-05-30 (Initial Advisory)
CVE(s): CVE-2023-20884
Synopsis: VMware Workspace ONE Access and Identity Manager update addresses an Insecure Redirect Vulnerability. (CVE-2023-20884)
****1. Impacted Products****
VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware Cloud Foundation (Cloud Foundation)
****2. Introduction****
An insecure redirect vulnerability in Workspace ONE Access and Identity Manager was privately reported to VMware. Updates are available to address this vulnerability in affected VMware products.
****3a. Insecure Redirect Vulnerability (CVE-2023-20884)****
VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1.
An unauthenticated malicious actor may be able to redirect a victim to an attacker controlled domain due to improper path handling leading to sensitive information disclosure.
To remediate CVE-2023-20884 apply the patches listed in the ‘Fixed Version’ column of the ‘Response Matrix’ below.
VMware would like to thank Hari Namburi of Wells Fargo for reporting this vulnerability to us.
Product
Version
Running On
CVE Identifier
CVSSv3
Severity
Fixed Version
Workarounds
Additional Documentation
Workspace ONE Access
22.09.1.0
Linux
CVE-2023-20884
6.1
moderate
KB92512
None
None
Workspace ONE Access
22.09.0.0
Linux
CVE-2023-20884
6.1
moderate
22.09.1.0
None
None
Workspace ONE Access
21.08.x
Linux
CVE-2023-20884
6.1
moderate
22.09.1.0
None
None
Workspace ONE Access Connector
All
Windows
CVE-2023-20884
N/A
N/A
Unaffected
N/A
N/A
VMware Identity Manager (vIDM)
3.3.7
Linux
CVE-2023-20884
6.1
moderate
KB92512
None
None
VMware Identity Manager (vIDM)
3.3.6
Linux
CVE-2023-20884
6.1
moderate
3.3.7
None
None
VMware Identity Manager (vIDM) Connector
All
Windows
CVE-2023-20884
N/A
N/A
Unaffected
N/A
N/A
VMware Cloud Foundation (vIDM)
Any
Any
CVE-2023-20884
6.1
moderate
KB92512
None
None
****4. References****
****5. Change Log****
**2023-05-30: VMSA-2023-0011
**Initial security advisory.
****6. Contact****