CVE-2021-21980: 
vSphere vCenter Server vulnerability analysis and mitigation

The vulnerability CVE-2021-21980 was discovered in VMware's vSphere Web Client (FLEX/Flash) component, affecting vCenter Server versions 6.5 and 6.7. This unauthorized arbitrary file read vulnerability was reported by ch0wn of Orz lab and publicly disclosed on November 23, 2021. The vulnerability received a CVSSv3 base score of 7.5 (High severity) and affects VMware vCenter Server and VMware Cloud Foundation products (VMware Advisory).

The vulnerability exists in the vSphere Web Client's FLEX/Flash component, allowing unauthorized arbitrary file read access. It received a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability specifically affects port 443 on vCenter Server. Notably, vCenter Server 7.x is not affected as it doesn't include the vSphere Web Client (FLEX/Flash) component (VMware Advisory, NVD).

The vulnerability allows malicious actors with network access to port 443 on vCenter Server to gain unauthorized access to sensitive information. This could potentially lead to the exposure of confidential data stored on affected systems (VMware Advisory, Hacker News).

VMware has released patches to address this vulnerability. For vCenter Server 6.7, users should upgrade to version 6.7 U3p, and for version 6.5, the upgrade should be to version 6.5 U3r. For Cloud Foundation 3.x, users should upgrade to version 3.11. No workarounds are available, making patching the only effective mitigation strategy (VMware Advisory).