CVE-2021-22049

Summary

The vSphere Web Client (FLEX/Flash) contains an SSRF (Server Side Request Forgery) vulnerability in the vSAN Web Client (vSAN UI) plug-in. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by accessing a URL request outside of vCenter Server or accessing an internal service.

Affected Software

VendorProductVersion RangeStatus
n/aVMware vCenter Server and VMware Cloud FoundationVMware vCenter Server (6.7 before 6.7 U3p and 6.5 before 6.5 U3r) and VMware Cloud Foundation 3.xaffected

Weaknesses

  • SSRF vulnerability

ADP Enrichment

CVE Program Container

Additional References

References