CVE-2021-22027

CWE-918 — Server-Side Request Forgery (SSRF)4 documents4 sources

Severity

7.5HIGH

EPSS

0.2%

top 54.39%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Vrealize Operations Manager Vmware Cloud Foundation Vmware Vrealize Suite Lifecycle Manager

Timeline

PublishedAug 30

Latest updateMay 24

Description

The vRealize Operations Manager API (8.x prior to 8.5) contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶NVDvmware/vrealize_operations_manager8.0.0 — 8.5.0+1

▶NVDvmware/vrealize_suite_lifecycle_manager8.0 — 8.2

▶CVEListV5vmware_vrealize_operationsVMware vRealize Operations (8.x prior to 8.5)

▶NVDvmware/cloud_foundation3.0 — 3.10.2.1+1

Patches

Patch: www.vmware.com ↗Patch: www.vmware.com ↗

🔴Vulnerability Details

GHSA

GHSA-4chg-642f-qr6p: The vRealize Operations Manager API (8↗2022-05-24

▶

CVEList

CVE-2021-22027: The vRealize Operations Manager API (8↗2021-08-30

▶

📋Vendor Advisories

VMware

VMware vRealize Operations updates address multiple security vulnerabilities (CVE-2021-22022, CVE-2021-22023, CVE-2021-22024, CVE-2021-22025, CVE-2021-22026, CVE-2021-22027)↗2021-08-24

▶