DSA-2022-329: Dell Wyse Management Suite Security Update for Multiple Vulnerabilities
Summary: Dell Wyse Management Suite (WMS) remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.
Impact
High
Details
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-46754 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially access certain pro license features for which this admin is not authorized in order to configure user controlled external entities. | 8.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
| CVE-2022-46755 | Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious end user can edit general client policy for which the user is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46677 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially create a subgroup under a group for which the admin is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46678 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially edit general client policy for which the user is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46676 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. A malicious admin user may potentially disable or delete users under administration and unassigned admins for which the group admin is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46675 | Wyse Management Suite Repository 3.8 and earlier contain an information disclosure vulnerability in error pages with which an attacker may potentially discover the internal structure of the application and its components and use this information for further vulnerability research. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Third-party Component | CVEs | More information |
| Swagger-UI (DOMPurify) | CVE-2020-26870 | See NVD (http://nvd.nist.gov/  ) for individual scores for each CVE. |
| OpenJDK | CVE-2022-34169 | |
| Gson | CVE-2022-25647 |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2022-46754 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially access certain pro license features for which this admin is not authorized in order to configure user controlled external entities. | 8.7 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N |
| CVE-2022-46755 | Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious end user can edit general client policy for which the user is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46677 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially create a subgroup under a group for which the admin is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46678 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. An authenticated malicious admin user may potentially edit general client policy for which the user is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46676 | Wyse Management Suite 3.8 and earlier contain an improper access control vulnerability. A malicious admin user may potentially disable or delete users under administration and unassigned admins for which the group admin is not authorized. | 4.9 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| CVE-2022-46675 | Wyse Management Suite Repository 3.8 and earlier contain an information disclosure vulnerability in error pages with which an attacker may potentially discover the internal structure of the application and its components and use this information for further vulnerability research. | 5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Third-party Component | CVEs | More information |
| Swagger-UI (DOMPurify) | CVE-2020-26870 | See NVD (http://nvd.nist.gov/ ) for individual scores for each CVE. |
| OpenJDK | CVE-2022-34169 | |
| Gson | CVE-2022-25647 |
Affected Products & Remediation
| Product | Affected Versions | Updated Versions | Link to Update |
| Dell Wyse Management Suite | 3.8 and earlier | 4.0 | Dell Wyse Management Suite |
| Dell Wyse Management Suite Repository | 3.8 and earlier | 4.0 | Dell Wyse Management Suite Repository |
| Product | Affected Versions | Updated Versions | Link to Update |
| Dell Wyse Management Suite | 3.8 and earlier | 4.0 | Dell Wyse Management Suite |
| Dell Wyse Management Suite Repository | 3.8 and earlier | 4.0 | Dell Wyse Management Suite Repository |
Revision History
| Revision | Date | Description |
| 1.0 | 2022-12-19 | Initial Release |
Acknowledgements
Dell Technologies would like to thank Marius Gabriel Mihai for reporting CVE-2020-26870.
Related Information
Legal Disclaimer
Affected Products
Wyse Management SuiteProducts
Product Security InformationArticle Properties
Article Number: 000206134
Article Type: Dell Security Advisory
Last Modified: 09 Feb 2024
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.
Article Properties
Article Number: 000206134
Article Type: Dell Security Advisory
Last Modified: 09 Feb 2024
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.