CVE-2021-22013: 
vSphere vCenter Server vulnerability analysis and mitigation

CVE-2021-22013 is a file path traversal vulnerability discovered in VMware vCenter Server's appliance management API. The vulnerability was disclosed on September 21, 2021, and affects vCenter Server 6.5. VMware evaluated this vulnerability with a CVSSv3 base score of 7.5, categorizing it in the Important severity range (VMware Advisory).

The vulnerability exists in the appliance management API of vCenter Server, allowing path traversal that leads to information disclosure. The vulnerability is accessible through network access to port 443 on vCenter Server. It received a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity with network attack vector, low attack complexity, and no required privileges or user interaction (NVD).

A successful exploitation of this vulnerability allows a malicious actor with network access to port 443 on vCenter Server to gain access to sensitive information. The vulnerability specifically impacts the confidentiality of the system, with potential exposure of sensitive data (VMware Advisory).

VMware has released patches to address this vulnerability. For vCenter Server 6.5, users should update to version 6.5 U3q. No workarounds are available for this vulnerability, making it critical to apply the security patches as soon as possible (VMware Advisory).

The vulnerability was discovered and reported by George Noseevich (@webpentest) and Sergey Gerasimov of SolidLab LLC. It was part of a larger security advisory (VMSA-2021-0020) that addressed multiple vulnerabilities in vCenter Server (Hacker News).