Vulnerabilities > CVE-2022-3337 - Missing Authorization vulnerability in Cloudflare Warp Mobile Client

047910
CVSS 8.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
LOW
network
low complexity
cloudflare
CWE-862

Summary

It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/warp/warp-settings/#lock-warp-switch  feature being enabled on Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform.

Common Weakness Enumeration (CWE)