SSRF Vulnerability in VMware vSphere Web Client Affecting vSAN UI Plugin
CVE-2021-22049

9.8CRITICAL

Key Information:

Vendor: Vmware
Status: Vmware Vcenter Server And Vmware Cloud Foundation
Vendor: CVE Published:; 24 November 2021

Summary

The vSphere Web Client, particularly the vSAN Web Client (vSAN UI) plug-in by VMware, exhibits a Server Side Request Forgery (SSRF) vulnerability. This issue allows a malicious actor with network access to port 443 on the vCenter Server to launch attacks by crafting specific URL requests, potentially accessing external URLs or internal services that should otherwise remain safeguarded. As a result, this vulnerability poses a significant risk to the integrity and confidentiality of the affected systems, necessitating immediate attention and remediation.

Affected Version(s)

VMware vCenter Server and VMware Cloud Foundation VMware vCenter Server (6.7 before 6.7 U3p and 6.5 before 6.5 U3r) and VMware Cloud Foundation 3.x

References

https://www.vmware.com/security/advisories/VMSA-2021-0027...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 24, 2021
Vulnerability Reserved
Jan 4, 2021