Security News > 2021 > November > VMware Warns of Newly Discovered Vulnerabilities in vSphere Web Client

VMware Warns of Newly Discovered Vulnerabilities in vSphere Web Client
2021-11-24 21:09

VMware has shipped updates to address two security vulnerabilities in vCenter Server and Cloud Foundation that could be abused by a remote attacker to gain access to sensitive information.

The more severe of the issues concerns an arbitrary file read vulnerability in the vSphere Web Client.

Tracked as CVE-2021-21980, the bug has been rated 7.5 out of a maximum of 10 on the CVSS scoring system, and impacts vCenter Server versions 6.5 and 6.7.

"A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information," the company noted in an advisory published on November 23, crediting ch0wn of Orz lab for reporting the flaw.

The second shortcoming remediated by VMware relates to an SSRF vulnerability in the Virtual storage area network Web Client plug-in that could allow a malicious actor with network access to port 443 on vCenter Server to exploit the flaw by accessing an internal service or a URL request outside of the server.

SSRF attacks are a kind of web security vulnerability that enables an adversary to read or modify internal resources that the target server has access to by sending specially crafted HTTP requests, resulting in the unauthorized exposure of information.


News URL

https://thehackernews.com/2021/11/vmware-warns-of-newly-discovered.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-11-24 CVE-2021-21980 Unspecified vulnerability in VMWare Cloud Foundation and Vcenter Server
The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability.
network
low complexity
vmware
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Vmware 146 11 222 256 102 591