Vulnerability Description
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Cloud Foundation | >= 3.0, < 3.10.1.2 |
| Vmware | Vcenter Server | 6.5 |
Related Weaknesses (CWE)
References
- https://www.vmware.com/security/advisories/VMSA-2021-0002.htmlVendor Advisory
- https://www.vmware.com/security/advisories/VMSA-2021-0002.htmlVendor Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-US Government Resource
FAQ
What is CVE-2021-21973?
CVE-2021-21973 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443...
How severe is CVE-2021-21973?
CVE-2021-21973 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21973?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Cloud Foundation, Vmware Vcenter Server.