#VU24188 Information disclosure in VMware, Inc products - CVE-2020-3940
Published: January 10, 2020
Vulnerability identifier: #VU24188
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2020-3940
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Workspace ONE SDK
Workspace ONE SDK (Objective-C)
Workspace ONE Boxer
Workspace ONE Content for Android
Workspace ONE Content for iOS
Workspace ONE Intelligent Hub
Workspace ONE Notebook
Workspace ONE People
Workspace ONE PIV-D
Workspace ONE Web
Workspace ONE SDK Plugin for Apache Cordova
Workspace ONE SDK Plugin for Xamarin
Workspace ONE SDK
Workspace ONE SDK (Objective-C)
Workspace ONE Boxer
Workspace ONE Content for Android
Workspace ONE Content for iOS
Workspace ONE Intelligent Hub
Workspace ONE Notebook
Workspace ONE People
Workspace ONE PIV-D
Workspace ONE Web
Workspace ONE SDK Plugin for Apache Cordova
Workspace ONE SDK Plugin for Xamarin
Software vendor:
VMware, Inc
VMware, Inc
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected software does not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. A remote attacker with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services can capture sensitive data in transit if SSL Pinning is enabled.
Remediation
Install updates from vendor's website.