CVE-2021-21973: 
vSphere vCenter Server vulnerability analysis and mitigation

The vSphere Client (HTML5) contains a Server Side Request Forgery (SSRF) vulnerability (CVE-2021-21973) discovered in February 2021. The vulnerability exists due to improper validation of URLs in a vCenter Server plugin. This affects VMware vCenter Server versions 7.x before 7.0 U1c, 6.7 before 6.7 U3l, and 6.5 before 6.5 U3n, as well as VMware Cloud Foundation versions 4.x before 4.2 and 3.x before 3.10.1.2 (VMware Advisory).

The vulnerability has been assigned a CVSSv3 base score of 5.3, categorizing it as a moderate severity issue. The SSRF vulnerability exists in the vCenter Server plugin, specifically in the vSphere Client (HTML5) interface. The affected vCenter Server plugin for vROPs is available in all default installations, and notably, vROPs does not need to be present to have this endpoint available (VMware Advisory).

The exploitation of this vulnerability could lead to information disclosure. The vulnerability affects systems with network access to port 443, potentially exposing sensitive information through malicious POST requests to the vCenter Server plugin (VMware Advisory).

VMware has released patches to address this vulnerability. The fixed versions include vCenter Server 7.0 U1c, 6.7 U3l, and 6.5 U3n. For VMware Cloud Foundation, updates to version 4.2 or 3.10.1.2 are required. Workarounds are documented in KB82374. Users are advised to follow the workarounds KB to disable the affected plugin if immediate patching is not possible (VMware Advisory).