CVE-2021-21973
Published: 24 February 2021
Summary
CVE-2021-21973 is a medium-severity SSRF (CWE-918) vulnerability in Vmware Vcenter Server. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The vSphere Client (HTML5) component of VMware vCenter Server contains a server-side request forgery vulnerability stemming from insufficient validation of URLs processed by a vCenter Server plugin. The flaw affects VMware vCenter Server versions 7.x prior to 7.0 U1c, 6.7 prior to 6.7 U3l, and 6.5 prior to 6.5 U3n, as well as VMware Cloud Foundation releases 4.x prior to 4.2 and 3.x prior to 3.10.1.2.
An unauthenticated attacker with network access to vCenter Server on TCP port 443 can exploit the issue by submitting a crafted POST request to the affected plugin. Successful exploitation results in information disclosure, corresponding to a CVSS 3.1 base score of 5.3 under CWE-918.
VMware's VMSA-2021-0002 advisory details the affected releases and corresponding fixed versions. The vulnerability is also tracked in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9144
Vulnerability details
The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST…
more
request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
- CWE(s)
- KEV Date Added
- 07 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of URL inputs processed by the vCenter plugin to block crafted SSRF requests.
Enforces policy-based restrictions on server-initiated outbound requests, preventing the unauthorized information flows exploited by this SSRF.
Boundary protection mechanisms (e.g., allow-listing or proxy inspection) can block or sanitize the malicious POST requests reaching the vulnerable plugin on port 443.