CVE-2022-31662

Vulnerability

A path traversal vulnerability exists in VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), their respective connectors, and VMware vRealize Automation. The flaw resides in the handling of file paths by these products, and a malicious actor with network access may be able to access arbitrary files. Affected products and versions are detailed in VMSA-2022-0021 [1].

Exploitation

An attacker with network access to an affected system can exploit the path traversal flaw without requiring authentication. The attack sequence involves sending specially crafted HTTP requests that manipulate file path references, enabling traversal outside of the intended directory. No user interaction is required for exploitation [1].

Impact

Successful exploitation allows the attacker to read arbitrary files on the target system. This can lead to disclosure of sensitive information, including configuration files, credentials, or other data stored on the server. The CVSSv3 base score for this vulnerability is 5.3 (Medium) [1].

Mitigation

VMware has released patched versions for all affected products. Updates should be applied as specified in the advisory VMSA-2022-0021 [1]. No workarounds are provided; applying the patches is the only mitigation. The advisory also notes that this CVE is one of ten vulnerabilities addressed in the same update, and organizations should review all related CVEs [1].