CVE-2021-21975
Published: 31 March 2021
Summary
CVE-2021-21975 is a high-severity SSRF (CWE-918) vulnerability in Vmware Cloud Foundation. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-21975 is a Server Side Request Forgery vulnerability in the vRealize Operations Manager API affecting versions prior to 8.4. The flaw is tracked under CWE-918 and carries a CVSS 3.1 base score of 7.5, reflecting network attack vector, low complexity, and no required privileges or user interaction.
A malicious actor with network access to the vRealize Operations Manager API can exploit the issue to conduct an SSRF attack that results in theft of administrative credentials.
The primary vendor advisory is VMware VMSA-2021-0004, which addresses the affected product versions. The vulnerability is also catalogued in the CISA Known Exploited Vulnerabilities list, confirming observed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9146
Vulnerability details
Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
- CWE(s)
- KEV Date Added
- 18 January 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Input validation on the vRealize Operations Manager API would reject crafted URLs that enable the SSRF requests used to exfiltrate administrative credentials.
Information flow enforcement policies can block the API from initiating unauthorized outbound requests to internal resources that would disclose credentials.
Boundary protection mechanisms can restrict or inspect the API's outbound connections, limiting the SSRF channel to internal credential stores.