Vulnerabilities > CVE-2021-22049 - Server-Side Request Forgery (SSRF) vulnerability in VMWare Vcenter Server 6.5/6.7/7.0

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

vmware

CWE-918

critical

NVD

Published: 2021-11-24

Updated: 2021-11-30

Summary

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.

Vulnerable Configurations

Part	Description	Count
Application	Vmware Vmware Vcenter Server 6.5 Vmware Vcenter Server 6.7 Vmware Vcenter Server 7.0	3

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

References

https://www.vmware.com/security/advisories/VMSA-2021-0027.html