CVE-2021-22025

CWE-287 — Improper Authentication4 documents4 sources

Severity

7.5HIGH

EPSS

0.2%

top 59.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vrealize Operations Manager Vmware Cloud Foundation Vmware Vrealize Suite Lifecycle Manager

Timeline

PublishedAug 30

Latest updateMay 24

Description

The vRealize Operations Manager API (8.x prior to 8.5) contains a broken access control vulnerability leading to unauthenticated API access. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to existing vROps cluster.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDvmware/vrealize_operations_manager8.0.0 — 8.5.0+1

▶NVDvmware/vrealize_suite_lifecycle_manager8.0 — 8.2

▶CVEListV5vmware_vrealize_operationsVMware vRealize Operations (8.x prior to 8.5)

▶NVDvmware/cloud_foundation3.0 — 3.10.2.1+1

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-6hvv-x2xw-p422: The vRealize Operations Manager API (8↗2022-05-24

▶

CVEList

CVE-2021-22025: The vRealize Operations Manager API (8↗2021-08-30

▶

📋Vendor Advisories

VMware

VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)↗2021-08-24

▶