CVE-2021-21993

Published: Sep 23, 2021Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. An authorised user with access to content library may exploit this issue by sending a POST request to vCenter Server leading to information disclosure.

Affected (4)

Products: Vmware: Cloud Foundation, Vcenter Server

2 products

Cloud Foundation

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Vmware Cloud Foundation	From 3.0 to 5.0
Vmware Vcenter Server	Version 6.5
Vmware Vcenter Server	Version 6.7
Vmware Vcenter Server	Version 7.0

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Source: security@vmware.com

PatchVendor Advisory

https://www.vmware.com/security/advisories/VMSA-2021-0020.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.