CVE-2021-21973

The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

Published: Feb 24, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-21973
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-918

Affected Software
References

Software	From	Fixed in
vmware / vcenter_server	6.5-f	6.5-f.x
vmware / vcenter_server	6.5-e	6.5-e.x
vmware / vcenter_server	6.5-d	6.5-d.x
vmware / vcenter_server	6.5-c	6.5-c.x
vmware / vcenter_server	6.5-b	6.5-b.x
vmware / vcenter_server	6.5-a	6.5-a.x
vmware / vcenter_server	6.7-d	6.7-d.x
vmware / vcenter_server	6.7-b	6.7-b.x
vmware / vcenter_server	6.7-a	6.7-a.x
vmware / vcenter_server	6.5	6.5.x
vmware / vcenter_server	6.7	6.7.x
vmware / vcenter_server	7.0	7.0.x
vmware / cloud_foundation	3.0	3.10.1.2
vmware / cloud_foundation	4.0	4.2
vmware / vcenter_server	7.0-d	7.0-d.x
vmware / vcenter_server	7.0-c	7.0-c.x
vmware / vcenter_server	7.0-b	7.0-b.x
vmware / vcenter_server	7.0-a	7.0-a.x
vmware / vcenter_server	6.5-update3	6.5-update3.x
vmware / vcenter_server	6.5-update3d	6.5-update3d.x
vmware / vcenter_server	6.5-update3k	6.5-update3k.x
vmware / vcenter_server	6.5-update3f	6.5-update3f.x
vmware / vcenter_server	6.5-update1d	6.5-update1d.x
vmware / vcenter_server	6.5-update1e	6.5-update1e.x
vmware / vcenter_server	6.5-update1g	6.5-update1g.x
vmware / vcenter_server	6.5-update2	6.5-update2.x
vmware / vcenter_server	6.5-update2b	6.5-update2b.x
vmware / vcenter_server	6.5-update2c	6.5-update2c.x
vmware / vcenter_server	6.5-update2d	6.5-update2d.x
vmware / vcenter_server	6.5-update2g	6.5-update2g.x
vmware / vcenter_server	6.7-update3f	6.7-update3f.x
vmware / vcenter_server	7.0-update1a	7.0-update1a.x
vmware / vcenter_server	7.0-update1	7.0-update1.x
vmware / vcenter_server	6.7-update3j	6.7-update3j.x
vmware / vcenter_server	6.7-update3b	6.7-update3b.x
vmware / vcenter_server	6.7-update3g	6.7-update3g.x
vmware / vcenter_server	6.7-update1	6.7-update1.x
vmware / vcenter_server	6.7-update1b	6.7-update1b.x
vmware / vcenter_server	6.7-update2	6.7-update2.x
vmware / vcenter_server	6.7-update2a	6.7-update2a.x
vmware / vcenter_server	6.7-update2c	6.7-update2c.x
vmware / vcenter_server	6.7-update3a	6.7-update3a.x
vmware / vcenter_server	6.7-update3	6.7-update3.x

https://www.vmware.com/security/advisories/VMSA-2021-0002.html

Vulnerability Database

289,697

CVE-2021-21973