PT-2021-1987 · Vmware · Vsphere Replication
Egor Dimitrenko
·
Published
2021-02-11
·
Updated
2021-03-31
·
CVE-2021-21976
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
vSphere Replication versions 6.5.x through 6.5.1.4
vSphere Replication versions 8.1.x through 8.1.2.2
vSphere Replication versions 8.2.x through 8.2.1.0
vSphere Replication versions 8.3.x through 8.3.1.1
Description
The issue is related to a post-authentication command injection vulnerability. This vulnerability may allow an authenticated admin user to perform a remote code execution. The vulnerability is associated with insufficient checking of arguments passed to a command in the "Startup Configuration" page of the VMware vSphere Replication extension for asynchronous replication of virtual machines.
Recommendations
For vSphere Replication version 6.5.x, update to version 6.5.1.5 or later.
For vSphere Replication version 8.1.x, update to version 8.1.2.3 or later.
For vSphere Replication version 8.2.x, update to version 8.2.1.1 or later.
For vSphere Replication version 8.3.x, update to version 8.3.1.2 or later.
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Vsphere Replication