CVE-2022-3337

Published: Oct 28, 2022Modified: Nov 21, 2024

8.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Exploitability: 3.1 / Impact: 4.7

Source: NVD

Description

It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform.

Affected (1)

Products: Cloudflare: Warp Mobile Client

1 product

Warp Mobile Client

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cloudflare Warp Mobile Client	Before 6.15

Related CWEs

Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://github.com/cloudflare/advisories/security/advisories/GHSA-vr93-4vx7-332p

Source: cna@cloudflare.com

Third Party Advisory

https://github.com/cloudflare/advisories/security/advisories/GHSA-vr93-4vx7-332p

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.