CVE-2021-22022

CWE-22 — Path Traversal4 documents4 sources

Severity

4.9MEDIUM

EPSS

0.2%

top 56.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vrealize Operations Manager Vmware Cloud Foundation Vmware Vrealize Suite Lifecycle Manager

Timeline

PublishedAug 30

Latest updateMay 24

Description

The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary file read vulnerability. A malicious actor with administrative access to vRealize Operations Manager API can read any arbitrary file on server leading to information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages4 packages

▶NVDvmware/vrealize_operations_manager8.0.0 — 8.5.0+1

▶NVDvmware/vrealize_suite_lifecycle_manager8.0 — 8.2

▶CVEListV5vmware_vrealize_operationsVMware vRealize Operations (8.x prior to 8.5)

▶NVDvmware/cloud_foundation3.0 — 3.10.2.1+1

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-qp9m-g55q-823w: The vRealize Operations Manager API (8↗2022-05-24

▶

CVEList

CVE-2021-22022: The vRealize Operations Manager API (8↗2021-08-30

▶

📋Vendor Advisories

VMware

VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)↗2021-08-24

▶