CVE-2021-21973

Опубликовано: 24 фев. 2021

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Критический

Описание

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

Ссылки

https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Vendor Advisory
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21973
US Government Resource

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*

Версия от 3.0 (включая) до 3.10.1.2 (исключая)

cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*

Версия от 4.0 (включая) до 4.2 (исключая)

cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*

cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.90336

Критический

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-918

Связанные уязвимости

GHSA-5j6h-79mj-qfq2

CVSS3: 5.3

github

больше 3 лет назад

BDU:2021-00989

CVSS3: 5.3

fstec

почти 5 лет назад

Уязвимость плагина vSphere Client средства управления виртуальной инфраструктурой VMware vCenter Server, позволяющая нарушителю отправить запрос от имени атакуемого сервера

EPSS

Процентиль: 100%

0.90336

Критический

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-918