#VU56082 Input validation error in VMware, Inc products - CVE-2021-22023

Cybersecurity Help s.r.o.

Published: 2021-08-25

Vulnerability identifier: #VU56082

Vulnerability risk: Low

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-22023

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
VMware vRealize Operations Manager (vROps)
Server applications / Virtualization software
VMware Cloud Foundation (vROps)
Client/Desktop applications / Virtualization software
vRealize Suite Lifecycle Manager
Other software / Other software solutions

Vendor: VMware, Inc

Description

The vulnerability allows a remote user to compromise the target system.

The vulnerability exists due to insecure direct object reference issue. A remote administrator can modify other users information leading to an account takeover.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

VMware vRealize Operations Manager (vROps): 7.5 - 8.4.0

VMware Cloud Foundation (vROps): 3.0 - 4.0

vRealize Suite Lifecycle Manager: 8.0

External links
https://www.vmware.com/security/advisories/VMSA-2021-0018.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell EMC Enterprise Hybrid Cloud update for VMware products

Multiple vulnerabilities in several VMware products