Article Number: 000206134
DSA-2022-329: Dell Wyse Management Suite Security Update for Multiple Vulnerabilities
Summary: Dell Wyse Management Suite (WMS) remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Article Content
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-46754 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially access certain pro license features for which this admin is not authorized in order to configure user controlled external entities. | 8.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
| CVE-2022-46755 | Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious end user can edit general client policy for which the user is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46677 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially create a subgroup under a group for which the admin is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46678 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially edit general client policy for which the user is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46676 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. A malicious admin user may potentially disable or delete users under administration and unassigned admins for which the group admin is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46675 | Wyse Management Suite Repository 3.8 and earlier contain an information disclosure vulnerability in error pages with which an attacker may potentially discover the internal structure of the application and its components and use this information for further vulnerability research. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Third-party Component | CVEs | More information |
| Swagger-UI (DOMPurify) | CVE-2020-26870 | See NVD (http://nvd.nist.gov/  ) for individual scores for each CVE. |
| OpenJDK | CVE-2022-34169 | |
| Gson | CVE-2022-25647 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-46754 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially access certain pro license features for which this admin is not authorized in order to configure user controlled external entities. | 8.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
| CVE-2022-46755 | Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious end user can edit general client policy for which the user is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46677 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially create a subgroup under a group for which the admin is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46678 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially edit general client policy for which the user is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46676 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. A malicious admin user may potentially disable or delete users under administration and unassigned admins for which the group admin is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46675 | Wyse Management Suite Repository 3.8 and earlier contain an information disclosure vulnerability in error pages with which an attacker may potentially discover the internal structure of the application and its components and use this information for further vulnerability research. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Third-party Component | CVEs | More information |
| Swagger-UI (DOMPurify) | CVE-2020-26870 | See NVD (http://nvd.nist.gov/ ) for individual scores for each CVE. |
| OpenJDK | CVE-2022-34169 | |
| Gson | CVE-2022-25647 |
Affected Products and Remediation
| Product | Affected Versions | Updated Versions | Link to Update |
| Dell Wyse Management Suite | 3.8 and earlier | 4.0 | Dell Wyse Management Suite |
| Dell Wyse Management Suite Repository | 3.8 and earlier | 4.0 | Dell Wyse Management Suite Repository |
| Product | Affected Versions | Updated Versions | Link to Update |
| Dell Wyse Management Suite | 3.8 and earlier | 4.0 | Dell Wyse Management Suite |
| Dell Wyse Management Suite Repository | 3.8 and earlier | 4.0 | Dell Wyse Management Suite Repository |
Acknowledgements
Dell Technologies would like to thank Marius Gabriel Mihai for reporting CVE-2020-26870.
Revision History
| Revision | Date | Description |
| 1.0 | 2022-12-19 | Initial Release |
Related Information
Legal Information
Article Properties
Affected Product
Wyse Management Suite
Product
Product Security Information
Last Published Date
09 Feb 2024
Version
3
Article Type
Dell Security Advisory