CVE-2021-21975

Warning

Exploit

EPSS 94.42%
Published 31.03.2021 18:15:14
Last modified 12.03.2025 20:57:43
Source security@vmware.com
Teams watchlist Login
Open Login

Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.

Affected products Warnungen 1 Metrics 4 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

VMware ≫ Cloud Foundation Version3.0

VMware ≫ Cloud Foundation Version3.0.1

VMware ≫ Cloud Foundation Version3.0.1.1

VMware ≫ Cloud Foundation Version3.5

VMware ≫ Cloud Foundation Version3.5.1

VMware ≫ Cloud Foundation Version3.7

VMware ≫ Cloud Foundation Version3.7.1

VMware ≫ Cloud Foundation Version3.7.2

VMware ≫ Cloud Foundation Version3.8

VMware ≫ Cloud Foundation Version3.8.1

VMware ≫ Cloud Foundation Version3.9

VMware ≫ Cloud Foundation Version3.9.1

VMware ≫ Cloud Foundation Version3.10

VMware ≫ Cloud Foundation Version4.0

VMware ≫ Cloud Foundation Version4.0.1

VMware ≫ Vrealize Operations Manager Version7.0.0

VMware ≫ Vrealize Operations Manager Version7.5.0

VMware ≫ Vrealize Operations Manager Version8.0.0

VMware ≫ Vrealize Operations Manager Version8.0.1

VMware ≫ Vrealize Operations Manager Version8.1.0

VMware ≫ Vrealize Operations Manager Version8.1.1

VMware ≫ Vrealize Operations Manager Version8.2.0

VMware ≫ Vrealize Operations Manager Version8.3.0

VMware ≫ Vrealize Suite Lifecycle Manager Version8.0

VMware ≫ Vrealize Suite Lifecycle Manager Version8.0.1

VMware ≫ Vrealize Suite Lifecycle Manager Version8.1

VMware ≫ Vrealize Suite Lifecycle Manager Version8.2

18.01.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

VMware Server Side Request Forgery in vRealize Operations Manager API

Vulnerability

Server Side Request Forgery (SSRF) in vRealize Operations Manager API prior to 8.4 may allow a malicious actor with network access to the vRealize Operations Manager API to perform a SSRF attack to steal administrative credentials.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	94.42%	1

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-918 Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

http://packetstormsecurity.com/files/162349/VMware-vRealize-Operations-Manager-Server-Side-Request-Forgery-Code-Execution.html

Third Party Advisory

Exploit

VDB Entry

https://www.vmware.com/security/advisories/VMSA-2021-0004.html

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2021-21975

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-21975

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-21975

EUVD