Skip to content

Lock WARP switch bypass by removing VPN profile on iOS mobile client

Moderate
mskowroncf published GHSA-vr93-4vx7-332p Oct 28, 2022

Package

Cloudflare WARP mobile client (iOS)

Affected versions

<6.15

Patched versions

None

Description

Impact

It was possible for a user to delete a VPN profile from WARP mobile client on iOS platform despite the Lock WARP switch feature being enabled on Zero Trust Platform. This led to bypassing policies and restrictions enforced for enrolled devices by the Zero Trust platform.

Patches

The issue was fixed in Warp iOS mobile client v. 6.15.

References

Severity

Moderate

CVE ID

CVE-2022-3337

Weaknesses

No CWEs