CVE-2021-21973

Name of the Vulnerable Software and Affected Versions VMware vCenter Server versions 7.x before 7.0 U1c VMware vCenter Server versions 6.7 before 6.7 U3l VMware vCenter Server versions 6.5 before 6.5 U3n VMware Cloud Foundation versions 4.x before 4.2 VMware Cloud Foundation versions 3.x before 3.10.1.2

Description The vSphere Client contains a Server Side Request Forgery (SSRF) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to the vCenter Server plugin, leading to information disclosure.

Recommendations For VMware vCenter Server versions 7.x before 7.0 U1c, update to version 7.0 U1c or later. For VMware vCenter Server versions 6.7 before 6.7 U3l, update to version 6.7 U3l or later. For VMware vCenter Server versions 6.5 before 6.5 U3n, update to version 6.5 U3n or later. For VMware Cloud Foundation versions 4.x before 4.2, update to version 4.2 or later. For VMware Cloud Foundation versions 3.x before 3.10.1.2, update to version 3.10.1.2 or later. As a temporary workaround, consider restricting access to the vCenter Server plugin to minimize the risk of exploitation.