CVE-2021-22015Files or Directories Accessible to External Parties in Vmware Vcenter Server

CWE-552Files or Directories Accessible to External PartiesCWE-269Improper Privilege Management4 documents4 sources
Severity
7.8HIGHNVD
EPSS
1.8%
top 17.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Vmware Cloud FoundationVmware Vcenter Server
Timeline
PublishedSep 23
Latest updateMay 24

Description

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. An authenticated local user with non-administrative privilege may exploit these issues to elevate their privileges to root on vCenter Server Appliance.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

NVDvmware/vcenter_server6.5, 6.7, 7.0+2
NVDvmware/cloud_foundation3.05.0

Patches

Patch: www.vmware.comPatch: www.vmware.com

🔴Vulnerability Details

2
GHSA
GHSA-7r68-66h2-v7f6: The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories2022-05-24
CVEList
CVE-2021-22015: The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories2021-09-23

📋Vendor Advisories

1
VMware
VMware vCenter Server updates address multiple security vulnerabilities2021-09-21
CVE-2021-22015 — Vmware Vcenter Server vulnerability | cvebase