CVE-2021-21993Server-Side Request Forgery in Vmware Vcenter Server

CWE-918Server-Side Request Forgery4 documents4 sources
Severity
6.5MEDIUMNVD
EPSS
0.2%
top 52.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vmware Cloud FoundationVmware Vcenter Server
Timeline
PublishedSep 23
Latest updateMay 24

Description

The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. An authorised user with access to content library may exploit this issue by sending a POST request to vCenter Server leading to information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDvmware/vcenter_server6.5, 6.7, 7.0+2
NVDvmware/cloud_foundation3.05.0

Patches

Patch: www.vmware.comPatch: www.vmware.com

🔴Vulnerability Details

2
GHSA
GHSA-p52h-5fjj-x2pc: The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library2022-05-24
CVEList
CVE-2021-21993: The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library2021-09-23

📋Vendor Advisories

1
VMware
VMware vCenter Server updates address multiple security vulnerabilities2021-09-21