Vulnerability Description
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Vcenter Server | 6.5 |
| Vmware | Cloud Foundation | >= 3.0, < 3.10.2.1 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.hThird Party AdvisoryVDB Entry
- https://www.vmware.com/security/advisories/VMSA-2021-0010.htmlVendor Advisory
- http://packetstormsecurity.com/files/162812/VMware-Security-Advisory-2021-0010.hThird Party AdvisoryVDB Entry
- https://www.vmware.com/security/advisories/VMSA-2021-0010.htmlVendor Advisory
FAQ
What is CVE-2021-21986?
CVE-2021-21986 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availabi...
How severe is CVE-2021-21986?
CVE-2021-21986 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-21986?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Vcenter Server, Vmware Cloud Foundation.