CVE-2021-22012 — Missing Authentication for Critical Function in Vmware Vcenter Server

CWE-306 — Missing Authentication for Critical Function CWE-668 — Resource Exposure4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.7%

top 28.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Cloud Foundation Vmware Vcenter Server Vmware Vcenter Server

Timeline

PublishedSep 23

Latest updateMay 24

Description

The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDvmware/vcenter_server6.7, 7.0+1

▶CVEListV5vmware/vmware_vcenter_serverVMware vCenter Server 6.5 before 6.5 U3q

▶NVDvmware/cloud_foundation3.0 — 5.0

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-wcwp-7phh-vvr5: The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API↗2022-05-24

▶

CVEList

CVE-2021-22012: The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API↗2021-09-23

▶

📋Vendor Advisories

VMware

VMware vCenter Server updates address multiple security vulnerabilities↗2021-09-21

▶