Low
1. Impacted Products
VMware Workspace ONE UEM console
2. Introduction
A cross-site scripting vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products.
3. Cross Site Scripting (XSS) vulnerability in VMware Workspace ONE UEM console (CVE-2021-21990)
Description
VMware Workspace ONE UEM console does not validate an incoming request during device enrollment.VMware has evaluated the severity of this issue to be in the low
severity range with a maximum CVSSv3 base score of 3.7.
Known Attack Vectors
A malicious actor may be able to inject code or redirect a user to another site during the enrollment process.
Resolution
To remediate CVE-2021-21990, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.
Workarounds
None.
Additional Documentation
None.
Notes
None.
Acknowledgements
VMware would like to thank Mr. Lauritz Holtmann and Mr. Leif Enders of usd AG for reporting this issue to us.
Response Matrix
Product | Version | Running On | CVE Identifier | CVSSv3 | Severity | Fixed Version | Workarounds | Additional Documentation |
VMware Workspace ONE UEM console
|
1912
|
Any
|
CVE-2021-21990
|
low
|
19.12.0.24
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2001
|
Any
|
CVE-2021-21990
|
low
|
20.1.0.32
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2003
|
Any
|
CVE-2021-21990
|
low
|
20.3.0.23
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2004
|
Any
|
CVE-2021-21990
|
low
|
20.4.0.21
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2005
|
Any
|
CVE-2021-21990
|
low
|
20.5.0.46
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2006
|
Any
|
CVE-2021-21990
|
low
|
20.6.0.19
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2007
|
Any
|
CVE-2021-21990
|
low
|
20.7.0.14
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2008
|
Any
|
CVE-2021-21990
|
low
|
20.8.0.28
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2010
|
Any
|
CVE-2021-21990
|
low
|
20.10.0.16
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2011
|
Any
|
CVE-2021-21990
|
low
|
20.11.0.27
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2101
|
Any
|
CVE-2021-21990
|
low
|
21.1.0.14
|
None
|
None
|
|
VMware Workspace ONE UEM console
|
2102
|
Any
|
CVE-2021-21990
|
low
|
21.2.0.8
|
None
|
None
|
4. References
Fixed Version(s) and Release Notes:
VMware Workspace ONE UEM console 2102 - On-Prem
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en
VMware Workspace ONE UEM console 2101 - Cloud Only
VMware Workspace ONE UEM console 2011 - On-Prem
https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html#20-11-0-27-patch-resolved-issues-resolved
VMware Workspace ONE UEM console 2010 - Cloud Only
VMware Workspace ONE UEM console 2008 - On-Prem
https://resources.workspaceone.com/view/5qtfg6xhrkcp6vp4t4l7/en
VMware Workspace ONE UEM console 2007 - Cloud Only
VMware Workspace ONE UEM console 2006 - Cloud Only
VMware Workspace ONE UEM console 2005 - On-Prem
https://resources.workspaceone.com/view/3s4wvw2b3wp5mfs3y8s7/en
VMware Workspace ONE UEM console 2004 - Cloud Only
VMware Workspace ONE UEM console 2003 - Cloud Only
VMware Workspace ONE UEM console 2001 - On-Prem
https://resources.workspaceone.com/view/zmbk3nnwjhfr8jhkhyjc/en
VMware Workspace ONE UEM console 1912 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1912/rn/VMware
Additional Documentation
None
Mitre CVE Dictionary Links
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21990
FIRST CVSSv3 Calculator
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
5. Change Log
2021-05-11: VMSA-2021-21990
Initial security advisory.
6. Contact
E-mail list for product security notifications and announcements:
https://lists.vmware.com/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
https://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2020 VMware Inc. All rights reserved.