module
VMware vRealize Operations (vROps) Manager SSRF RCE
| Disclosed |
|---|
| Mar 30, 2021 |
Disclosed
Mar 30, 2021
Description
This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth
file write (CVE-2021-21983) in VMware vRealize Operations Manager to
leak admin creds and write/execute a JSP payload.
CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and
CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate
endpoint. Code execution occurs as the "admin" Unix user.
The following vRealize Operations Manager versions are vulnerable:
* 7.0.0
* 7.5.0
* 8.0.0, 8.0.1
* 8.1.0, 8.1.1
* 8.2.0
* 8.3.0
Version 8.3.0 is not exploitable for creds and is therefore not
supported by this module. Tested successfully against 8.0.1, 8.1.0,
8.1.1, and 8.2.0.
file write (CVE-2021-21983) in VMware vRealize Operations Manager to
leak admin creds and write/execute a JSP payload.
CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and
CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate
endpoint. Code execution occurs as the "admin" Unix user.
The following vRealize Operations Manager versions are vulnerable:
* 7.0.0
* 7.5.0
* 8.0.0, 8.0.1
* 8.1.0, 8.1.1
* 8.2.0
* 8.3.0
Version 8.3.0 is not exploitable for creds and is therefore not
supported by this module. Tested successfully against 8.0.1, 8.1.0,
8.1.1, and 8.2.0.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.