⚠ Exploited in the wild
Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2021-21980Sensitive Information Exposure in Vmware Vcenter Server

CWE-200Sensitive Information Exposure5 documents5 sources
Severity
7.5HIGHNVD
EPSS
7.6%
top 8.11%
CISA KEV
Not in KEV
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Vmware Cloud FoundationVmware Vcenter Server
Timeline
PublishedNov 24
Latest updateNov 25

Description

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

NVDvmware/vcenter_server6.5, 6.7+1

Patches

Patch: www.vmware.comPatch: www.vmware.com

🔴Vulnerability Details

3
GHSA
GHSA-j86w-wm9c-rcfm: The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability2021-11-25
CVEList
CVE-2021-21980: The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability2021-11-24
VulnCheck
vSphere Web Client (FLEX/Flash) Unauthorized Arbitrary File Read Vulnerability2021

📋Vendor Advisories

1
VMware
VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049)2021-11-23
CVE-2021-21980 — Sensitive Information Exposure | cvebase