CVE-2021-21986
Severity CVSS v4.0:
Pending analysis
Type:
CWE-306
Missing Authentication for Critical Function
Publication date:
26/05/2021
Last modified:
12/07/2022
Description
The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins. A malicious actor with network access to port 443 on vCenter Server may perform actions allowed by the impacted plug-ins without authentication.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
10.00
Severity 2.0
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1b:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1c:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:* | ||
cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page