VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.
2022-04-11T20:15:19.890
2025-03-12T20:01:47.123
Analyzed
CVSSv3.1: 9.8 (CRITICAL)
AV:N/AC:L/Au:N/C:C/I:C/A:C
10.0
10.0
| Type | Vendor | Product | Version/Range | Vulnerable? |
|---|---|---|---|---|
| Application | vmware | identity_manager | 3.3.3 | Yes |
| Application | vmware | identity_manager | 3.3.4 | Yes |
| Application | vmware | identity_manager | 3.3.5 | Yes |
| Application | vmware | identity_manager | 3.3.6 | Yes |
| Application | vmware | vrealize_automation | ≤ 8.6 | Yes |
| Application | vmware | vrealize_automation | 7.6 | Yes |
| Application | vmware | workspace_one_access | 20.10.0.0 | Yes |
| Application | vmware | workspace_one_access | 20.10.0.1 | Yes |
| Application | vmware | workspace_one_access | 21.08.0.0 | Yes |
| Application | vmware | workspace_one_access | 21.08.0.1 | Yes |
| Application | linux | linux_kernel | - | No |
| Application | vmware | cloud_foundation | ≤ 4.3.1 | Yes |
| Application | vmware | vrealize_suite_lifecycle_manager | ≤ 8.2 | Yes |