CVE-2021-21973
VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability
Severity Score
5.3
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
Yes
*KEV
Decision
-
*SSVC
Descriptions
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
El VSphere Client (HTML5) contiene una vulnerabilidad SSRF (Server Side Request Forgery) debido a una comprobación inapropiada de las URL en un plugin de vCenter Server. Un actor malicioso con acceso de red al puerto 443 puede explotar este problema mediante el envío de una petición POST al plugin vCenter Server conllevando a una divulgación de información. Esto afecta a: VMware vCenter Server (versiones 7.x anteriores a 7.0 U1c, versiones 6.7 anteriores a 6.7 U3l y versiones 6.5 anteriores a 6.5 U3n) y VMware Cloud Foundation (versiones 4.x anteriores a 4.2 y versiones 3.x anteriores a 3.10.1.2)
VMware vCenter Server and Cloud Foundation Server contain a SSRF vulnerability due to improper validation of URLs in a vCenter Server plugin. This allows for information disclosure.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-01-04 CVE Reserved
- 2021-02-24 CVE Published
- 2021-03-16 First Exploit
- 2022-03-07 Exploited in Wild
- 2022-03-21 KEV Due Date
- 2024-08-03 CVE Updated
- 2024-09-03 EPSS Updated
CWE
- CWE-918: Server-Side Request Forgery (SSRF)
CAPEC
References (2)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/freakanonymous/CVE-2021-21973-Automateme | 2021-03-16 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.vmware.com/security/advisories/VMSA-2021-0002.html | 2024-02-15 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Vmware Search vendor "Vmware" | Cloud Foundation Search vendor "Vmware" for product "Cloud Foundation" | >= 3.0 < 3.10.1.2 Search vendor "Vmware" for product "Cloud Foundation" and version " >= 3.0 < 3.10.1.2" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Cloud Foundation Search vendor "Vmware" for product "Cloud Foundation" | >= 4.0 < 4.2 Search vendor "Vmware" for product "Cloud Foundation" and version " >= 4.0 < 4.2" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | a |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | b |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | c |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | d |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | e |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | f |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update1d |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update1e |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update1g |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update2 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update2b |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update2c |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update2d |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update2g |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update3 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update3d |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update3f |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.5 Search vendor "Vmware" for product "Vcenter Server" and version "6.5" | update3k |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | a |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | b |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | d |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update1 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update1b |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update2 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update2a |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update2c |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update3 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update3a |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update3b |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update3f |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update3g |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 6.7 Search vendor "Vmware" for product "Vcenter Server" and version "6.7" | update3j |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 7.0 Search vendor "Vmware" for product "Vcenter Server" and version "7.0" | - |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 7.0 Search vendor "Vmware" for product "Vcenter Server" and version "7.0" | a |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 7.0 Search vendor "Vmware" for product "Vcenter Server" and version "7.0" | b |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 7.0 Search vendor "Vmware" for product "Vcenter Server" and version "7.0" | c |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 7.0 Search vendor "Vmware" for product "Vcenter Server" and version "7.0" | d |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 7.0 Search vendor "Vmware" for product "Vcenter Server" and version "7.0" | update1 |
Affected
| ||||||
| Vmware Search vendor "Vmware" | Vcenter Server Search vendor "Vmware" for product "Vcenter Server" | 7.0 Search vendor "Vmware" for product "Vcenter Server" and version "7.0" | update1a |
Affected
| ||||||