3 New Critical Warnings For VMware Workspace One Assist Software
VMware released security updates to fix 3 critical vulnerabilities in their One Assist Software. A malicious actor with network access may be able to obtain administrator access without the need to authenticate.
Workspace One Assist is a real-time remote support software.
These flaws are being tracked as CVE-2022-31685 (Authentication Bypass Vulnerability), CVE-2022-31686 (Broken Authentication Method vulnerability), and CVE-2022-31687 (Broken Access Control vulnerability).
VMware patched several other vulnerabilities listed below along with the critical flaws above.
Reflected cross-site scripting (XSS) vulnerability (CVE-2022-31688) which due to improper user input sanitization, a malicious actor with some user interaction may be able to inject javascript code in the target user’s window. Session fixation vulnerability (CVE-2022-31689) A malicious actor who obtains a valid session token may be able to authenticate to the application using that token.
VMware released a patch to fix these issues with Workspace One Assist 22.10.