Low

VMSA-2021-0008
3.7
2021-05-11
2021-05-11 (Initial Advisory)
CVE-2021-21990
VMware Workspace ONE UEM console patches address a cross-site scripting vulnerability (CVE-2021-21990)
1. Impacted Products

VMware Workspace ONE UEM console

2. Introduction

A cross-site scripting vulnerability in VMware Workspace ONE UEM console was privately reported to VMware. Patches are available to remediate this vulnerability in affected VMware products. 

3. Cross Site Scripting (XSS) vulnerability in VMware Workspace ONE UEM console (CVE-2021-21990)

Description

VMware Workspace ONE UEM console does not validate an incoming request during device enrollment.VMware has evaluated the severity of this issue to be in the low
 severity range
 with a maximum CVSSv3 base score of 3.7.

Known Attack Vectors

A malicious actor may be able to inject code or redirect a user to another site during the enrollment process.

Resolution

To remediate CVE-2021-21990, apply the patches listed in the 'Fixed Version' column of the 'Resolution Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Notes

 

None.

Acknowledgements

VMware would like to thank Mr. Lauritz Holtmann and Mr. Leif Enders of usd AG for reporting this issue to us.

Response Matrix

Product Version Running On CVE Identifier CVSSv3 Severity Fixed Version Workarounds Additional Documentation
VMware Workspace ONE UEM console
1912
Any
CVE-2021-21990
low
19.12.0.24
None
None
VMware Workspace ONE UEM console
2001
Any
CVE-2021-21990
low
20.1.0.32
None
None
VMware Workspace ONE UEM console
2003
Any
CVE-2021-21990
low
20.3.0.23
None
None
VMware Workspace ONE UEM console
2004
Any
CVE-2021-21990
low
20.4.0.21
None
None
VMware Workspace ONE UEM console
2005
Any
CVE-2021-21990
low
20.5.0.46
None
None
VMware Workspace ONE UEM console
2006
Any
CVE-2021-21990
low
20.6.0.19
None
None
VMware Workspace ONE UEM console
2007
Any
CVE-2021-21990
low
20.7.0.14
None
None
VMware Workspace ONE UEM console
2008
Any
CVE-2021-21990
low
20.8.0.28
None
None
VMware Workspace ONE UEM console
2010
Any
CVE-2021-21990
low
20.10.0.16
None
None
VMware Workspace ONE UEM console
2011
Any
CVE-2021-21990
low
20.11.0.27
None
None
VMware Workspace ONE UEM console
2101
Any
CVE-2021-21990
low
21.1.0.14
None
None
VMware Workspace ONE UEM console
2102
Any
CVE-2021-21990
low
21.2.0.8
None
None
4. References

Fixed Version(s) and Release Notes:

 

VMware Workspace ONE UEM console 2102 - On-Prem
https://resources.workspaceone.com/view/48ktw9p6spmq8dflll49/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2102/rn/Workspace-ONE-UEM-2102-Release-Notes.html#21-2-0-8-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2101 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2101/rn/Workspace-ONE-UEM-2101-Release-Notes.html#21-1-0-14-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2011 - On-Prem

https://resources.workspaceone.com/view/pdwkjgfsb8b57cxvfnpd/en
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2011/rn/VMware-Workspace-ONE-UEM-Release-Notes-2011.html#20-11-0-27-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2010 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2010/rn/VMware-Workspace-ONE-UEM-Release-Notes-2010.html#20-10-0-16-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2008 - On-Prem

https://resources.workspaceone.com/view/5qtfg6xhrkcp6vp4t4l7/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2008/rn/VMware-Workspace-ONE-UEM-Release-Notes-2008.html#20-8-0-28-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2007 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2007/rn/VMware-Workspace-ONE-UEM-Release-Notes-2007.html#20-7-0-14-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2006 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2006/rn/VMware-Workspace-ONE-UEM-Release-Notes-2006.html#20-6-0-19-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2005 - On-Prem

https://resources.workspaceone.com/view/3s4wvw2b3wp5mfs3y8s7/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2005/rn/VMware-Workspace-ONE-UEM-Release-Notes-2005.html#20-5-0-46-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2004 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2004/rn/VMware-Workspace-ONE-UEM-Release-Notes-2004.html#20-4-0-21-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 2003 - Cloud Only

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2003/rn/VMware-Workspace-ONE-UEM-Release-Notes-2003.html#20-3-0-23-patch-resolved-issue-resolved

 

VMware Workspace ONE UEM console 2001 - On-Prem

https://resources.workspaceone.com/view/zmbk3nnwjhfr8jhkhyjc/en

https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/2001/rn/VMware-Workspace-ONE-UEM-Release-Notes-2001.html#20-1-0-32-patch-resolved-issues-resolved

 

VMware Workspace ONE UEM console 1912 - Cloud Only
https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/1912/rn/VMware


Additional Documentation

None

 

Mitre CVE Dictionary Links

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21990


FIRST CVSSv3 Calculator

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

5. Change Log

2021-05-11: VMSA-2021-21990
Initial security advisory.

6. Contact

E-mail list for product security notifications and announcements:

https://lists.vmware.com/mailman/listinfo/security-announce 

 

This Security Advisory is posted to the following lists:  

security-announce@lists.vmware.com  

bugtraq@securityfocus.com  

fulldisclosure@seclists.org 

 

E-mail: security@vmware.com

PGP key at:

https://kb.vmware.com/kb/1055 

 

VMware Security Advisories

https://www.vmware.com/security/advisories 

 

VMware Security Response Policy

https://www.vmware.com/support/policies/security_response.html 

 

VMware Lifecycle Support Phases

https://www.vmware.com/support/policies/lifecycle.html 

 

VMware Security & Compliance Blog  

https://blogs.vmware.com/security 

 

Twitter

https://twitter.com/VMwareSRC

 

Copyright 2020 VMware Inc. All rights reserved.