Information disclosure in VMware, Inc Web applications

#VU24188 Information disclosure in VMware, Inc Web applications

Published: 2020-01-10

Vulnerability identifier: #VU24188

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-3940

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vendor: VMware, Inc

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software does not properly handle certificate verification failures if SSL Pinning has been enabled in the Workspace ONE UEM Console. A remote attacker with man-in-the-middle (MITM) network positioning between an affected mobile application and Workspace ONE UEM Device Services can capture sensitive data in transit if SSL Pinning is enabled.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Workspace ONE SDK: 19.8 - 19.10

Workspace ONE Boxer: 5.11 - 5.13

Workspace ONE SDK (Objective-C): 5.9.9.7

Workspace ONE Content for Android: 3.20 - 3.20.1

Workspace ONE Content for iOS: 4.19.3

Workspace ONE SDK Plugin for Apache Cordova: 1.5

Workspace ONE Intelligent Hub: 19.09 - 19.11

Workspace ONE Notebook: 1.2

Workspace ONE People: All versions

Workspace ONE PIV-D: 1.4.1

Workspace ONE Web: 7.8 - 7.10

Workspace ONE SDK Plugin for Xamarin: 1.4

External links
http://www.vmware.com/security/advisories/VMSA-2020-0001.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in VMware Workspace ONE SDK and dependent mobile applications