VMware vCenter Server updates address arbitrary file read and SSRF vulnerabilities (CVE-2021-21980, CVE-2021-22049)

ID VMSA-2021-0027
Type vmware
Reporter VMware
Modified 2021-11-23T00:00:00


1. Impacted Products
  • VMware vCenter Server (vCenter Server)

  • VMware Cloud Foundation (Cloud Foundation)

2. Introduction

Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

3a. vCenter Server updates address arbitrary file read vulnerability in the vSphere Web Client (CVE-2021-21980)


The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.5.

Known Attack Vectors

A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.


To remediate CVE-2021-21980 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments.



Additional Documentation



vCenter Server vSphere Web Client (FLEX/Flash) is not available in vCenter Server 7.x, therefore this issue is not applicable to vCenter Server 7.x release line.


VMware would like to thank ch0wn of Orz lab for reporting this issue to us.