CVE-2021-21975

Опубликовано: 31 мар. 2021

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Критический

Описание

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

Ссылки

http://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://www.vmware.com/security/advisories/VMSA-2021-0004.html
Vendor Advisory
http://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
https://www.vmware.com/security/advisories/VMSA-2021-0004.html
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-21975
US Government Resource

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:vmware:cloud_foundation:3.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.0.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.0.1.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.5:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.5.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.7:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.7.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.7.2:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.8:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.8.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.9:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.9.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:3.10:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:4.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:cloud_foundation:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_operations_manager:7.0.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_operations_manager:7.5.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_operations_manager:8.0.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_operations_manager:8.0.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_operations_manager:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_operations_manager:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_operations_manager:8.2.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_operations_manager:8.3.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.0.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.1:*:*:*:*:*:*:*

cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:8.2:*:*:*:*:*:*:*

EPSS

Процентиль: 100%

0.9439

Критический

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-918

Связанные уязвимости

GHSA-px27-325w-m34c

CVSS3: 7.5

github

больше 3 лет назад

BDU:2021-01922

CVSS3: 7.5

fstec

почти 5 лет назад

Уязвимость API-интерфейса инструмента мониторинга виртуальной инфраструктуры vRealize Operations, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

EPSS

Процентиль: 100%

0.9439

Критический

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-918