VMware vCenter Server updates address multiple security vulnerabilities

3a. vCenter Server file upload vulnerability (CVE-2021-22005)

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

3b. vCenter Server local privilege escalation vulnerability (CVE-2021-21991)

The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8.

3c. vCenter Server reverse proxy bypass vulnerability (CVE-2021-22006)

The vCenter Server contains a reverse proxy bypass vulnerability due to the way the endpoints handle the URI. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.3.

3d. vCenter server unauthenticated API endpoint vulnerability (CVE-2021-22011)

The vCenter Server contains an unauthenticated API endpoint vulnerability in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1.

3e. vCenter Server improper permission local privilege escalation vulnerabilities (CVE-2021-22015)

The vCenter Server contains multiple local privilege escalation vulnerabilities due to improper permissions of files and directories. VMware has evaluated the severity of these issues to be in the Important severity range with a maximum CVSSv3 base score of 7.8.

3f. vCenter Server unauthenticated API information disclosure vulnerability (CVE-2021-22012)

The vCenter Server contains an information disclosure vulnerability due to an unauthenticated appliance management API. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

3g. vCenter Server file path traversal vulnerability (CVE-2021-22013)

The vCenter Server contains a file path traversal vulnerability leading to information disclosure in the appliance management API. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

3h. vCenter Server reflected XSS vulnerability (CVE-2021-22016)

The vCenter Server contains a reflected cross-site scripting vulnerability due to a lack of input sanitization. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

3i. vCenter Server rhttpproxy bypass vulnerability (CVE-2021-22017)

Rhttproxy as used in vCenter Server contains a vulnerability due to improper implementation of URI normalization. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.3.

3j. vCenter Server authenticated code execution vulnerability (CVE-2021-22014)

The vCenter Server contains an authenticated code execution vulnerability in VAMI (Virtual Appliance Management Infrastructure). VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.

3k. vCenter Server file deletion vulnerability (CVE-2021-22018)

The vCenter Server contains an arbitrary file deletion vulnerability in a VMware vSphere Life-cycle Manager plug-in. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

3l. vCenter Server XML parsing denial-of-service vulnerability (CVE-2021-21992)

The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.5.

3m. vCenter Server local information disclosure vulnerability (CVE-2021-22007)

The vCenter Server contains a local information disclosure vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.

3n. vCenter Server denial of service vulnerability (CVE-2021-22019)

The vCenter Server contains a denial-of-service vulnerability in VAPI (vCenter API) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

3o. vCenter Server VAPI multiple denial of service vulnerabilities (CVE-2021-22009)

The vCenter Server contains multiple denial-of-service vulnerabilities in VAPI (vCenter API) service.VMware has evaluated the severity of these issues to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

3p. vCenter Server VPXD denial of service vulnerability (CVE-2021-22010)

The vCenter Server contains a denial-of-service vulnerability in VPXD (Virtual Provisioning X Daemon) service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

3q. vCenter Server information disclosure vulnerability (CVE-2021-22008)

The vCenter Server contains an information disclosure vulnerability in VAPI (vCenter API) service.VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.

3r. vCenter Server Analytics service denial-of-service Vulnerability (CVE-2021-22020)

The vCenter Server contains a denial-of-service vulnerability in the Analytics service. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.0.

3s. vCenter Server SSRF vulnerability (CVE-2021-21993)

The vCenter Server contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in vCenter Server Content Library. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3.