CVE-2021-22023

CWE-639 — Insecure Direct Object Reference4 documents4 sources

Severity

7.2HIGH

EPSS

0.3%

top 44.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vrealize Operations Manager Vmware Cloud Foundation Vmware Vrealize Suite Lifecycle Manager

Timeline

PublishedAug 30

Latest updateMay 24

Description

The vRealize Operations Manager API (8.x prior to 8.5) has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶NVDvmware/vrealize_operations_manager8.0.0 — 8.5.0+1

▶NVDvmware/vrealize_suite_lifecycle_manager8.0 — 8.2

▶CVEListV5vmware_vrealize_operationsVMware vRealize Operations (8.x prior to 8.5)

▶NVDvmware/cloud_foundation3.0 — 3.10.2.1+1

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-qh32-g7xq-vjj8: The vRealize Operations Manager API (8↗2022-05-24

▶

CVEList

CVE-2021-22023: The vRealize Operations Manager API (8↗2021-08-30

▶

📋Vendor Advisories

VMware

VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)↗2021-08-24

▶