CVE-2021-21991Improper Privilege Management in Vmware Vcenter Server

CWE-269Improper Privilege Management4 documents4 sources
Severity
7.8HIGHNVD
EPSS
0.2%
top 58.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vmware Cloud FoundationVmware Vcenter Server
Timeline
PublishedSep 22
Latest updateMay 24

Description

The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDvmware/vcenter_server6.5, 6.7, 7.0+2
NVDvmware/cloud_foundation3.03.10.2.2+1

Patches

Patch: www.vmware.comPatch: www.vmware.com

🔴Vulnerability Details

2
GHSA
GHSA-h338-w3fh-545j: The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens2022-05-24
CVEList
CVE-2021-21991: The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens2021-09-22

📋Vendor Advisories

1
VMware
VMware vCenter Server updates address multiple security vulnerabilities2021-09-21
CVE-2021-21991 — Improper Privilege Management | cvebase