Information disclosure in VMware, Inc products - CVE-2020-3940
Published: January 10, 2020
Vulnerability identifier: #VU24188
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-3940
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
Workspace ONE SDK
Workspace ONE SDK (Objective-C)
Workspace ONE Boxer
Workspace ONE Content for Android
Workspace ONE Content for iOS
Workspace ONE Intelligent Hub
Workspace ONE Notebook
Workspace ONE People
Workspace ONE PIV-D
Workspace ONE Web
Workspace ONE SDK Plugin for Apache Cordova
Workspace ONE SDK Plugin for Xamarin
Workspace ONE SDK
Workspace ONE SDK (Objective-C)
Workspace ONE Boxer
Workspace ONE Content for Android
Workspace ONE Content for iOS
Workspace ONE Intelligent Hub
Workspace ONE Notebook
Workspace ONE People
Workspace ONE PIV-D
Workspace ONE Web
Workspace ONE SDK Plugin for Apache Cordova
Workspace ONE SDK Plugin for Xamarin
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected software does not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. A remote attacker with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services can capture sensitive data in transit if SSL Pinning is enabled.
How to mitigate CVE-2020-3940
Install updates from vendor's website.