CVE-2022-33931

Vulnerability

CVE-2022-33931 is an improper access control vulnerability in the UI of Dell Wyse Management Suite (WMS) version 3.6.1 and below [1]. The issue resides in the Alert Classification page, where the application fails to properly enforce access controls, allowing an attacker with no legitimate access to that page to modify alert categories [1].

Exploitation

An attacker with network access to the WMS UI but no explicit permission to access the Alert Classification page can exploit this vulnerability by sending crafted requests to the affected functionality [1]. The attacker does not require any prior authentication to the Alert Classification page, but must be an authenticated user of the WMS console with some level of access [1]. The exploitation involves bypassing the access control checks that normally restrict the Alert Classification page to authorized users.

Impact

Successful exploitation allows the attacker to change alert categories within the WMS [1]. This is an integrity impact, as the attacker can alter the classification of alerts, potentially leading to misconfiguration or confusion in monitoring and response activities. The CVSS v3.1 base score for this vulnerability is not provided in the reference, but the impact is limited to integrity, with no direct impact on confidentiality or availability [1].

Mitigation

Dell has addressed this vulnerability in Wyse Management Suite version 3.7, released on or before August 10, 2022 [1]. Users are advised to upgrade to version 3.7 or later to remediate the issue. No workarounds are documented in the available references [1].