CVE-2018-6979
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
05/10/2018
Last modified:
24/08/2020
Description
The VMware Workspace ONE Unified Endpoint Management Console (A/W Console) 9.7.x prior to 9.7.0.3, 9.6.x prior to 9.6.0.7, 9.5.x prior to 9.5.0.16, 9.4.x prior to 9.4.0.22, 9.3.x prior to 9.3.0.25, 9.2.x prior to 9.2.3.27, and 9.1.x prior to 9.1.5.6 contains a SAML authentication bypass vulnerability which can be leveraged during device enrollment. This vulnerability may allow for a malicious actor to impersonate an authorized SAML session if certificate-based authentication is enabled. This vulnerability is also relevant if certificate-based authentication is not enabled, but the outcome of exploitation is limited to an information disclosure (Important Severity) in those cases.
Impact
Base Score 3.x
7.40
Severity 3.x
HIGH
Base Score 2.0
5.80
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:vmware:airwatch_console:*:*:*:*:*:*:*:* | 9.1.0.0 (including) | 9.1.5.6 (excluding) |
| cpe:2.3:a:vmware:airwatch_console:*:*:*:*:*:*:*:* | 9.2.0.0 (including) | 9.2.3.27 (excluding) |
| cpe:2.3:a:vmware:airwatch_console:*:*:*:*:*:*:*:* | 9.3.0.0 (including) | 9.3.0.25 (excluding) |
| cpe:2.3:a:vmware:airwatch_console:*:*:*:*:*:*:*:* | 9.4.0.0 (including) | 9.4.0.22 (excluding) |
| cpe:2.3:a:vmware:airwatch_console:*:*:*:*:*:*:*:* | 9.5.0.0 (including) | 9.5.0.16 (excluding) |
| cpe:2.3:a:vmware:airwatch_console:*:*:*:*:*:*:*:* | 9.6.0.0 (including) | 9.6.0.7 (excluding) |
| cpe:2.3:a:vmware:airwatch_console:*:*:*:*:*:*:*:* | 9.7.0.0 (including) | 9.7.0.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page