PT-2021-4330 · Vmware · Vcenter Server+1

George Noseevich

Published

2021-09-21

Updated

2022-07-12

CVE-2021-22008

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions vCenter Server (affected versions not specified)

Description The vCenter Server contains an information disclosure issue in the VAPI (vCenter API) service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue by sending a specially crafted json-rpc message to gain access to sensitive information. This is related to insufficient access control in the system, allowing an attacker to obtain unauthorized access to protected information by sending specially crafted JSON-RPC messages via port 443.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Information Disclosure

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-668

Related Identifiers

BDU:2021-04954

CVE-2021-22008

ZDI-21-1107

Affected Products

Vmware Vcenter

Vcenter Server

PT-2021-4330 · Vmware · Vcenter Server+1

CVE-2021-22008

Weakness Enumeration

Related Identifiers

Affected Products

References · 8