Vulnerability Description
VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vmware | Cloud Foundation | >= 4.0.0, <= 4.3.1 |
| Vmware | Vrealize Log Insight | < 8.60 |
| Vmware | Vrealize Suite Lifecycle Manager | >= 8.0.0, <= 8.2 |
Related Weaknesses (CWE)
References
- https://www.vmware.com/security/advisories/VMSA-2021-0022.htmlPatchVendor Advisory
- https://www.vmware.com/security/advisories/VMSA-2021-0022.htmlPatchVendor Advisory
FAQ
What is CVE-2021-22035?
CVE-2021-22035 is a vulnerability with a CVSS score of 4.3 (MEDIUM). VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-adminis...
How severe is CVE-2021-22035?
CVE-2021-22035 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22035?
Check the references section above for vendor advisories and patch information. Affected products include: Vmware Cloud Foundation, Vmware Vrealize Log Insight, Vmware Vrealize Suite Lifecycle Manager.