CVE-2021-21991
First published: Wed Sep 22 2021(Updated: )
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash).
Credit: security@vmware.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| VMware Cloud Foundation | >=3.0<3.10.2.2 | |
| VMware Cloud Foundation | >=4.0<4.3 | |
| VMware vCenter Server | =6.5 | |
| VMware vCenter Server | =6.5-a | |
| VMware vCenter Server | =6.5-b | |
| VMware vCenter Server | =6.5-c | |
| VMware vCenter Server | =6.5-d | |
| VMware vCenter Server | =6.5-e | |
| VMware vCenter Server | =6.5-f | |
| VMware vCenter Server | =6.5-update1 | |
| VMware vCenter Server | =6.5-update1b | |
| VMware vCenter Server | =6.5-update1c | |
| VMware vCenter Server | =6.5-update1d | |
| VMware vCenter Server | =6.5-update1e | |
| VMware vCenter Server | =6.5-update1g | |
| VMware vCenter Server | =6.5-update2 | |
| VMware vCenter Server | =6.5-update2b | |
| VMware vCenter Server | =6.5-update2c | |
| VMware vCenter Server | =6.5-update2d | |
| VMware vCenter Server | =6.5-update2g | |
| VMware vCenter Server | =6.5-update3 | |
| VMware vCenter Server | =6.5-update3d | |
| VMware vCenter Server | =6.5-update3f | |
| VMware vCenter Server | =6.5-update3k | |
| VMware vCenter Server | =6.5-update3n | |
| VMware vCenter Server | =6.5-update3p | |
| VMware vCenter Server | =6.7 | |
| VMware vCenter Server | =6.7 | |
| VMware vCenter Server | =6.7-a | |
| VMware vCenter Server | =6.7-b | |
| VMware vCenter Server | =6.7-d | |
| VMware vCenter Server | =6.7-update1 | |
| VMware vCenter Server | =6.7-update1b | |
| VMware vCenter Server | =6.7-update2 | |
| VMware vCenter Server | =6.7-update2a | |
| VMware vCenter Server | =6.7-update2c | |
| VMware vCenter Server | =6.7-update3 | |
| VMware vCenter Server | =6.7-update3a | |
| VMware vCenter Server | =6.7-update3b | |
| VMware vCenter Server | =6.7-update3f | |
| VMware vCenter Server | =6.7-update3g | |
| VMware vCenter Server | =6.7-update3j | |
| VMware vCenter Server | =6.7-update3l | |
| VMware vCenter Server | =6.7-update3m | |
| VMware vCenter Server | =6.7-update3n | |
| VMware vCenter Server | =7.0 | |
| VMware vCenter Server | =7.0-a | |
| VMware vCenter Server | =7.0-b | |
| VMware vCenter Server | =7.0-c | |
| VMware vCenter Server | =7.0-d | |
| VMware vCenter Server | =7.0-update1 | |
| VMware vCenter Server | =7.0-update1a | |
| VMware vCenter Server | =7.0-update1c | |
| VMware vCenter Server | =7.0-update1d | |
| VMware vCenter Server | =7.0-update2 | |
| VMware vCenter Server | =7.0-update2a | |
| VMware vCenter Server | =7.0-update2b |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2021-21991.
What is the severity of CVE-2021-21991?
The severity of CVE-2021-21991 is high.
What software is affected by CVE-2021-21991?
VMware Cloud Foundation and VMware vCenter Server versions 6.5, 6.7, and 7.0 are affected by CVE-2021-21991.
How does CVE-2021-21991 exploit work?
CVE-2021-21991 exploits a local privilege escalation vulnerability in vCenter Server by manipulating session tokens to escalate privileges.
Is there a fix available for CVE-2021-21991?
Yes, VMware has released patches to address the vulnerability. Please refer to the official VMware security advisory for the appropriate fix for your specific version of the affected software.
- collector/nvd-index
- vendor/vmware
- canonical/vmware cloud foundation
- version/vmware cloud foundation/3.0
- version/vmware cloud foundation/4.0
- canonical/vmware vcenter server
- version/vmware vcenter server/6.5
- version/vmware vcenter server/6.5-a
- version/vmware vcenter server/6.5-b
- version/vmware vcenter server/6.5-c
- version/vmware vcenter server/6.5-d
- version/vmware vcenter server/6.5-e
- version/vmware vcenter server/6.5-f
- version/vmware vcenter server/6.5-update1
- version/vmware vcenter server/6.5-update1b
- version/vmware vcenter server/6.5-update1c
- version/vmware vcenter server/6.5-update1d
- version/vmware vcenter server/6.5-update1e
- version/vmware vcenter server/6.5-update1g
- version/vmware vcenter server/6.5-update2
- version/vmware vcenter server/6.5-update2b
- version/vmware vcenter server/6.5-update2c
- version/vmware vcenter server/6.5-update2d
- version/vmware vcenter server/6.5-update2g
- version/vmware vcenter server/6.5-update3
- version/vmware vcenter server/6.5-update3d
- version/vmware vcenter server/6.5-update3f
- version/vmware vcenter server/6.5-update3k
- version/vmware vcenter server/6.5-update3n
- version/vmware vcenter server/6.5-update3p
- version/vmware vcenter server/6.7
- version/vmware vcenter server/6.7-a
- version/vmware vcenter server/6.7-b
- version/vmware vcenter server/6.7-d
- version/vmware vcenter server/6.7-update1
- version/vmware vcenter server/6.7-update1b
- version/vmware vcenter server/6.7-update2
- version/vmware vcenter server/6.7-update2a
- version/vmware vcenter server/6.7-update2c
- version/vmware vcenter server/6.7-update3
- version/vmware vcenter server/6.7-update3a
- version/vmware vcenter server/6.7-update3b
- version/vmware vcenter server/6.7-update3f
- version/vmware vcenter server/6.7-update3g
- version/vmware vcenter server/6.7-update3j
- version/vmware vcenter server/6.7-update3l
- version/vmware vcenter server/6.7-update3m
- version/vmware vcenter server/6.7-update3n
- version/vmware vcenter server/7.0
- version/vmware vcenter server/7.0-a
- version/vmware vcenter server/7.0-b
- version/vmware vcenter server/7.0-c
- version/vmware vcenter server/7.0-d
- version/vmware vcenter server/7.0-update1
- version/vmware vcenter server/7.0-update1a
- version/vmware vcenter server/7.0-update1c
- version/vmware vcenter server/7.0-update1d
- version/vmware vcenter server/7.0-update2
- version/vmware vcenter server/7.0-update2a
- version/vmware vcenter server/7.0-update2b