First published: Wed Feb 24 2021(Updated: )
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
Credit: security@vmware.com security@vmware.com
Affected Software | Affected Version | How to fix |
---|---|---|
VMware Cloud Foundation | >=3.0<3.10.1.2 | |
VMware Cloud Foundation | >=4.0<4.2 | |
VMware vCenter Server | =6.5 | |
VMware vCenter Server | =6.5-a | |
VMware vCenter Server | =6.5-b | |
VMware vCenter Server | =6.5-c | |
VMware vCenter Server | =6.5-d | |
VMware vCenter Server | =6.5-e | |
VMware vCenter Server | =6.5-f | |
VMware vCenter Server | =6.5-update1d | |
VMware vCenter Server | =6.5-update1e | |
VMware vCenter Server | =6.5-update1g | |
VMware vCenter Server | =6.5-update2 | |
VMware vCenter Server | =6.5-update2b | |
VMware vCenter Server | =6.5-update2c | |
VMware vCenter Server | =6.5-update2d | |
VMware vCenter Server | =6.5-update2g | |
VMware vCenter Server | =6.5-update3 | |
VMware vCenter Server | =6.5-update3d | |
VMware vCenter Server | =6.5-update3f | |
VMware vCenter Server | =6.5-update3k | |
VMware vCenter Server | =6.7 | |
VMware vCenter Server | =6.7-a | |
VMware vCenter Server | =6.7-b | |
VMware vCenter Server | =6.7-d | |
VMware vCenter Server | =6.7-update1 | |
VMware vCenter Server | =6.7-update1b | |
VMware vCenter Server | =6.7-update2 | |
VMware vCenter Server | =6.7-update2a | |
VMware vCenter Server | =6.7-update2c | |
VMware vCenter Server | =6.7-update3 | |
VMware vCenter Server | =6.7-update3a | |
VMware vCenter Server | =6.7-update3b | |
VMware vCenter Server | =6.7-update3f | |
VMware vCenter Server | =6.7-update3g | |
VMware vCenter Server | =6.7-update3j | |
VMware vCenter Server | =7.0 | |
VMware vCenter Server | =7.0-a | |
VMware vCenter Server | =7.0-b | |
VMware vCenter Server | =7.0-c | |
VMware vCenter Server | =7.0-d | |
VMware vCenter Server | =7.0-update1 | |
VMware vCenter Server | =7.0-update1a | |
>=3.0<3.10.1.2 | ||
>=4.0<4.2 | ||
=6.5 | ||
=6.5-a | ||
=6.5-b | ||
=6.5-c | ||
=6.5-d | ||
=6.5-e | ||
=6.5-f | ||
=6.5-update1d | ||
=6.5-update1e | ||
=6.5-update1g | ||
=6.5-update2 | ||
=6.5-update2b | ||
=6.5-update2c | ||
=6.5-update2d | ||
=6.5-update2g | ||
=6.5-update3 | ||
=6.5-update3d | ||
=6.5-update3f | ||
=6.5-update3k | ||
=6.7 | ||
=6.7-a | ||
=6.7-b | ||
=6.7-d | ||
=6.7-update1 | ||
=6.7-update1b | ||
=6.7-update2 | ||
=6.7-update2a | ||
=6.7-update2c | ||
=6.7-update3 | ||
=6.7-update3a | ||
=6.7-update3b | ||
=6.7-update3f | ||
=6.7-update3g | ||
=6.7-update3j | ||
=7.0 | ||
=7.0-a | ||
=7.0-b | ||
=7.0-c | ||
=7.0-d | ||
=7.0-update1 | ||
=7.0-update1a | ||
VMware vCenter Server and Cloud Foundation |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-21973 is a vulnerability in VMware vCenter Server and Cloud Foundation that allows for Server Side Request Forgery (SSRF) attacks.
The severity of CVE-2021-21973 is medium with a CVSS score of 5.3.
CVE-2021-21973 affects VMware vCenter Server and Cloud Foundation versions 6.5, 6.7, and 7.0.
CVE-2021-21973 can be exploited by a malicious actor with network access to port 443 sending a POST request to a vCenter Server plugin.
Yes, VMware has released patches and workarounds to address the vulnerability. Please refer to the VMware security advisory for more information.