VMware has patched arbitrary file read and SSRF vCenter Server vulnerabilities (CVE-2021-21980, CVE-2021-22049) that affect VMware vSphere Web Client.
An attacker could exploit this vulnerability and take control of an unpatched system.
For the first issue, the vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability CVE-2021-21980.
“A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.,” VMware stated in the advisory.
The High severity vulnerability has a CVSSv3 base score of 7.5 and affects vCenter Server versions 6.5 and 6.7.
For the second issue, the vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in.
“A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service,” VMware added.
The vulnerability has a CVSSv3 base score of 6.5 and is also rated Moderate severity.
VMware has provided patches and workarounds to address these vulnerabilities in impacted VMware vCenter and Cloud Foundation.
- VMware patches Tanzu Application Service for VMs vulnerability (CVE-2021-22101)
- VMware patches Critical vCenter Server vulnerability (CVE-2021-22005) exploited in the wild
- Thousands of unpatched VMware vCenter servers exposed on the internet
- VMware patches Critical vulnerability that exposed thousands of servers online