VMware vRealize Operations Tenant App update addresses Information Disclosure Vulnerability (CVE-2021-22034)

-

 

1. Impacted Products
  • VMware vRealize Operations Tenant App for VMware Cloud Director
2. Introduction

An information disclosure vulnerability in VMware vRealize Operations Tenant App for VMware Cloud Director was privately reported to VMware. Patch is available to address this vulnerability in impacted VMware products. 

3. Information Disclosure Vulnerability in VMware vRealize Operations Tenant App for VMware Cloud Director (CVE-2021-22034)

Description

The vRealize Operations Tenant App for VMware Cloud Director contains an information disclosure vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

Known Attack Vectors

A malicious actor with network access to port 443 on the vRealize Operations Tenant App may access any set system environment variables, leading to information disclosure.

Resolution

To remediate CVE-2021-22034 apply the patches listed in the 'Fixed Version' column of the 'Response Matrix' found below.

Workarounds

None.

Additional Documentation

None.

Acknowledgements

VMware would like to thank Dhiraj Shrikant Datar for reporting this vulnerability to us.

Comments

Post a Comment

Popular posts from this blog

HTTP Host header attacks against web proxy disclaimer response webpage CVE-2017-14190

-
HTTP Host header attacks against web proxy disclaimer response webpage Summary The FortiOS web proxy disclaimer page is potentially vulnerable to an XSS attack, via maliciously crafted "Host" headers in user HTTP requests. The latter is possible if an attacker is in a Man-in-the-middle position (i.e. able to modify the HTTP requests of the potential victim before they reach the web proxy), or poisons a web cache used by the potential victim. In the latter attack scenario, the tainted disclaimer web page being cached, the XSS attack can be considered as persistent. Impact Persistent Cross-site Scripting (XSS) CVE ID CVE-2017-14190 Affected Products FortiOS 5.6.0 to 5.6.2 FortiOS 5.4.0 to 5.4.7 FortiOS 5.2 and lower versions. Solutions FortiOS 5.6 branch: Upgrade to 5.6.3 FortiOS 5.4 branch: Upgrade to 5.4.8 For...
Read more

TYPO3 CMS is vulnerable to SQL injection. CVE-2019-19850

-
It has been discovered that TYPO3 CMS is vulnerable to SQL injection. Component Type: TYPO3 CMS Subcomponent: Query Generator (ext:lowlevel) Release Date: December 17, 2019 Vulnerability Type: SQL Injection Affected Versions: 8.0.0-8.7.29 and 9.0.0-9.5.11 and 10.0.0-10.2.0 Severity: Medium Suggested CVSS v3.1:   AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C CVE:   CVE-2019-19850 Problem Description Failing to properly escape user submitted content, class QueryGenerator is vulnerable to SQL injection. Having system extension ext:lowlevel installed and a valid backend user having administrator privileges are required to exploit this vulnerability. Solution Update to TYPO3 versions 8.7.30 or 9.5.12 or 10.2.2 that fix the problem described. Credits Thanks to Dhiraj Shrikant Datar ( Zacco CyberSecurity Research Labs ) who reported this issue and to TYPO3 framework merger Frank Nägler  who fixed the issue. General Advice Follo...
Read more