CVE-2022-22982 — Server-Side Request Forgery in Vmware Vcenter Server

CWE-918 — Server-Side Request Forgery4 documents4 sources

Severity

7.5HIGHNVD

EPSS

0.2%

top 52.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Vmware Cloud Foundation Vmware Vcenter Server Vmware Vcenter Server

Timeline

PublishedJul 13

Latest updateJul 14

Description

The vCenter Server contains a server-side request forgery (SSRF) vulnerability. A malicious actor with network access to 443 on the vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDvmware/vcenter_server6.5, 6.7, 7.0+2

▶CVEListV5vmware/vmware_vcenter_serverVMware vCenter Server (7.0 before 7.0 U3f, 6.7 before 6.7 U3r & 6.5 before 6.5 U3t)

▶NVDvmware/cloud_foundation3.0 — 3.11+1

🔴Vulnerability Details

GHSA

GHSA-cvx4-254w-9ppg: The vCenter Server contains a server-side request forgery (SSRF) vulnerability↗2022-07-14

▶

CVEList

CVE-2022-22982: The vCenter Server contains a server-side request forgery (SSRF) vulnerability↗2022-07-13

▶

📋Vendor Advisories

VMware

VMware vCenter Server updates address a server-side request forgery vulnerability (CVE-2022-22982)↗2022-07-12

▶