VMware warned users about two new vulnerabilities that impact VMware vCenter Server and VMware Cloud Foundation. The vulnerabilities were privately reported to VMware and updates are currently available to remediate the vulnerabilities.
vSphere Web Client
The first vulnerability, CVE-2021-21980, is in the important severity range. The vSphere Web Client contains an unauthorized arbitrary file read vulnerability. It allows an attacker who has network access to port 443 on the vCenter Server to exploit the vulnerability to gain access to sensitive information.
The second vulnerability, CVE-2021-22049, was caused by an SSRF vulnerability in the vSAN Web Client plug-in, in vSphere Web Client. VMware stated that the vulnerability is in the moderate severity range. It also allows an attacker with network access to port 443 on the vCenter Server to exploit the vulnerability by accessing a URL request outside of the vCenter Server or accessing an internal service.
Both vulnerabilities are fixed in the latest updates and VMware urges users to apply the updates as soon as possible.