VMware Warns of Newly Discovered Vulnerabilities in vSphere Web Client – Tempemail

http://thehackernews.com/

VMware has shipped updates to address two security vulnerabilities in vCenter Server and Cloud Foundation that could be abused by a remote attacker to gain access to sensitive information.

The more severe of the issues concerns an arbitrary file read vulnerability in the vSphere Web Client. Tracked as CVE-2021-21980, the bug has been rated 7.5 out of a maximum of 10 on the CVSS scoring system, and impacts vCenter Server versions 6.5 and 6.7.

“A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information,” the company noted in an advisory published on November 23, crediting ch0wn of Orz lab for reporting the flaw.

Automatic GitHub Backups

The second shortcoming remediated by VMware relates to an SSRF (Server-Side Request Forgery) vulnerability in the Virtual storage area network (vSAN) Web Client plug-in that could allow a malicious actor with network access to port 443 on vCenter Server to exploit the flaw by accessing an internal service or a URL request outside of the server.

The company credited magiczero from SGLAB of Legendsec at Qi’anxin Group with discovering and reporting the flaw.

SSRF attacks are a kind of web security vulnerability that enables an adversary to read or modify internal resources that the target server has access to by sending specially crafted HTTP requests, resulting in the unauthorized exposure of information.

The risks arising out of SSRF attacks are so serious and widespread that they made it to the Open Web Application Security Project’s (OWASP) list of Top 10 web application security risks for 2021.

Prevent Data Breaches

With VMware’s virtualization solutions widely used across enterprises, it’s no surprise that its products have become lucrative targets for threat actors to mount a variety of attacks against vulnerable networks. To mitigate the risk of infiltration, it’s recommended that organisations move quickly to apply the necessary updates.

'+n+'...
'+a+"...
"}s+="http://thehackernews.com/",document.getElementById("result").innerHTML=s}}),t=!0)})}); //]]>

Try tempemail.co and you can view content, post comments or download something anonymously on Internet and anti virus to discover the whole new IT world. 10 minutes Tempemail – Also known by names like : 10minemail, 10minutemail, 10mins email, Tempemail 10 minutes, 10 minute e-Tempemail, 10min Tempemail, 10minute email or 10 minute temporary email. 10 minute email address is a disposable temporary email that self-destructed after a 10 minutes. https://tempemail.co/– is most advanced throwaway email service that helps you avoid spam and stay safe.

Related Post