VMware patches 2 vSphere Web Client vulnerabilities (CVE-2021-21980, CVE-2021-22049)

VMware patches 2 vSphere Web Client vulnerabilities (CVE-2021-21980, CVE-2021-22049)

VMware has patched arbitrary file read and SSRF vCenter Server vulnerabilities (CVE-2021-21980, CVE-2021-22049) that affect VMware vSphere Web Client.

An attacker could exploit this vulnerability and take control of an unpatched system.

CVE-2021-21980

For the first issue, the vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability CVE-2021-21980.

“A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.,” VMware stated in the advisory.

The High severity vulnerability has a CVSSv3 base score of 7.5 and affects vCenter Server versions 6.5 and 6.7.

CVE-2021-22049

For the second issue, the vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in.

“A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service,” VMware added.

The vulnerability has a CVSSv3 base score of 6.5 and is also rated Moderate severity.

VMware has provided patches and workarounds to address these vulnerabilities in impacted VMware vCenter and Cloud Foundation.

Related Articles

Tags: , , ,