VMware released a patch to address multiple flaws in its products, including a critical issue that could allow an attacker to access confidential information. A couple of vulnerabilities tracked as CVE-2021-22002 and CVE-2021-22003, impact Workspace One Access (Access), Identity Manager (vIDM), vRealize Automation (vRA), Cloud Foundation, and vRealize Suite Lifecycle Manager. CVE-2021-22002 is related to VMware Workspace One Access and Identity Manager, which allows the /cfg web app and diagnostic endpoints via port 443 by using a custom host header. VMware has labeled CVE-2021-22002 as a CVSS base score of 8.6. If a threat actor had access to port 443 they could tamper with the host headers to gain access to /cfg web app and /cfg diagnostic endpoints without authentication.
CVE-2021-22003 is an Information Disclosure Vulnerabilityflaw that resides in the VMware Workspace One Access and Identity Management. Both solutions unintentionally provide a login interface on port 7443,which an attacker could exploit to enumerate the users or conduct a brute force attack on the endpoint. CVE-2021-22003 has been given a CVSS base score of 3.7.