VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 11, 2014· Updated May 6, 2026

CVE-2014-8372

CVE-2014-8372

Description

AirWatch On-Premise 7.3.x before FP3 allows authenticated users to view other tenants' organizational info via direct object reference.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

AirWatch On-Premise 7.3.x before FP3 allows authenticated users to view other tenants' organizational info via direct object reference.

Vulnerability

AirWatch by VMware On-Premise versions 7.3.x.x prior to 7.3.3.0 (FP3) contain a direct object reference vulnerability in the multi-tenant environment. This allows a user who manages an AirWatch deployment to access organizational information and statistics belonging to other tenants by manipulating object references. The issue affects only On-Premise deployments; AirWatch Cloud is not vulnerable [1].

Exploitation

An attacker must be a remote authenticated user with access to an AirWatch On-Premise instance in a multi-tenant configuration. By crafting requests that modify direct object references (e.g., tenant IDs or resource identifiers), the attacker can retrieve data from arbitrary tenants without proper authorization checks. No additional privileges or user interaction beyond authentication are required [1].

Impact

Successful exploitation results in unauthorized disclosure of organizational information and statistics from other tenants. This includes sensitive data such as device counts, user details, and configuration metrics. The attacker gains read access to cross-tenant data but does not achieve code execution or privilege escalation within the compromised tenant [1].

Mitigation

VMware released AirWatch On-Premise 7.3.3.0 (FP3) to address this vulnerability. All On-Premise deployments should be updated to this version or later. AirWatch Cloud was already patched and requires no action. No workarounds are documented; the only mitigation is applying the update [1].

References
  1. Full Disclosure: NEW VMSA-2014-0014 - AirWatch by VMware product update addresses information disclosure vulnerabilities

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3
  • VMware/Airwatch3 versions
    cpe:2.3:a:vmware:airwatch:*:*:*:*:*:*:*:*+ 2 more
    • cpe:2.3:a:vmware:airwatch:*:*:*:*:*:*:*:*range: <=7.3.3.0
    • cpe:2.3:a:vmware:airwatch:7.3.0.0:*:*:*:*:*:*:*
    • (no CPE)range: <7.3.3.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.