CVE-2022-46677

Vulnerability

Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability [1]. A custom group admin with valid credentials can create a subgroup under a group for which they are not authorized to perform such actions [1]. The affected versions are 3.8 and below.

Exploitation

An attacker must be an authenticated admin user with group-level administrative privileges [1]. No additional network position or user interaction is required beyond the authenticated session [1]. The attacker can exploit this by navigating to the group management interface and creating a subgroup under a group outside their permitted scope [1].

Impact

Successful exploitation allows the attacker to create subgroups under unauthorized groups, leading to unauthorized access to group management functions [1]. This affects system integrity and availability without direct impact on confidentiality [1]. The CVSS v3.1 base score is 4.9 (Medium), with vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H, indicating a high availability impact [1].

Mitigation

Dell has released a security update; users should upgrade Wyse Management Suite to version 3.8.1 or later to address CVE-2022-46677 [1]. No workarounds are documented in the available references [1].