⚠ Actively exploited

Added to CISA KEV on 2022-01-10. Federal agencies required to patch by 2022-01-24. Required action: Apply updates per vendor instructions..

CVE-2021-22017 — Relative Path Traversal in Vmware Vcenter Server

CWE-23 — Relative Path Traversal7 documents7 sources

Severity

5.3MEDIUMNVD

EPSS

74.8%

top 1.13%

CISA KEV

KEV

Added 2022-01-10

Due 2022-01-24

Exploit

Exploited in wild

Active exploitation observed

Affected products

Vmware Vcenter Server

Timeline

PublishedSep 23

KEV addedJan 10

KEV dueJan 24

Latest updateMay 24

CISA Required Action: Apply updates per vendor instructions.

Description

Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to bypass proxy leading to internal endpoints being accessed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

▶NVDvmware/vcenter_server6.7

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-w46j-w72r-9x98: Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization↗2022-05-24

▶

CVEList

CVE-2021-22017: Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization↗2021-09-23

▶

VulnCheck

VMware vCenter Server Improper Access Control↗2021

▶

💥Exploits & PoCs

Nuclei

vCenter Server - Improper Access Control

▶

📋Vendor Advisories

CISA

VMware vCenter Server Improper Access Control↗2022-01-10

▶

VMware

VMware vCenter Server updates address multiple security vulnerabilities↗2021-09-21

▶