CVE-2021-22024

CWE-532 — Log File Information Exposure4 documents4 sources

Severity

7.5HIGH

EPSS

0.3%

top 49.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vrealize Operations Manager Vmware Cloud Foundation Vmware Vrealize Suite Lifecycle Manager

Timeline

PublishedAug 30

Latest updateMay 24

Description

The vRealize Operations Manager API (8.x prior to 8.5) contains an arbitrary log-file read vulnerability. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can read any log file resulting in sensitive information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDvmware/vrealize_operations_manager8.0.0 — 8.5.0+1

▶NVDvmware/vrealize_suite_lifecycle_manager8.0 — 8.2

▶CVEListV5vmware_vrealize_operationsVMware vRealize Operations (8.x prior to 8.5)

▶NVDvmware/cloud_foundation3.0 — 3.10.2.1+1

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-px9r-xq3x-jf4f: The vRealize Operations Manager API (8↗2022-05-24

▶

CVEList

CVE-2021-22024: The vRealize Operations Manager API (8↗2021-08-30

▶

📋Vendor Advisories

VMware

VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)↗2021-08-24

▶