First published: Mon Aug 30 2021(Updated: )
The vRealize Operations Manager API (8.x prior to 8.5) has insecure object reference vulnerability. A malicious actor with administrative access to vRealize Operations Manager API may be able to modify other users information leading to an account takeover.
Credit: security@vmware.com
Affected Software | Affected Version | How to fix |
---|---|---|
VMware Cloud Foundation | >=3.0<=3.10.2.1 | |
VMware Cloud Foundation | >=4.0<=4.2.1 | |
Vmware Vrealize Operations Manager | >=8.0.0<8.5.0 | |
Vmware Vrealize Operations Manager | =7.5.0 | |
Vmware Vrealize Suite Lifecycle Manager | >=8.0<=8.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-22023 is a vulnerability in the vRealize Operations Manager API (8.x prior to 8.5) that allows a malicious actor with administrative access to modify other users' information and potentially take over their accounts.
CVE-2021-22023 has a severity rating of 7.2 (high).
CVE-2021-22023 affects VMware Cloud Foundation versions 3.0 to 3.10.2.1, VMware vRealize Operations Manager versions 8.0.0 to 8.5.0, and VMware vRealize Suite Lifecycle Manager versions 8.0 to 8.2.
To fix CVE-2021-22023, it is recommended to upgrade to vRealize Operations Manager API version 8.5 or later.
More information about CVE-2021-22023 can be found in the VMware security advisory VMSA-2021-0018 at https://www.vmware.com/security/advisories/VMSA-2021-0018.html.