Vulnerability Details : CVE-2021-22036

VMware vRealize Orchestrator ((8.x prior to 8.6) contains an open redirect vulnerability due to improper path handling. A malicious actor may be able to redirect victim to an attacker controlled domain due to improper path handling in vRealize Orchestrator leading to sensitive information disclosure.

Vulnerability category: Open redirectInformation leak

Published 2021-10-13 16:15:08

Updated 2021-10-20 13:42:43

Source VMware

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-22036

Probability of exploitation activity in the next 30 days: 0.12%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 45 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-22036

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	nvd@nist.gov
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N	2.8	3.6	nvd@nist.gov
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2021-22036

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-22036

https://www.vmware.com/security/advisories/VMSA-2021-0023.html

VMSA-2021-0023
Vendor Advisory

Products affected by CVE-2021-22036

Vmware » Vrealize Orchestrator
Versions from including (>=) 8.0 and before (<) 8.6
cpe:2.3:a:vmware:vrealize_orchestrator:*:*:*:*:*:*:*:*
Matching versions
Vmware » Vrealize Automation
Versions from including (>=) 8.0 and before (<) 8.6
cpe:2.3:a:vmware:vrealize_automation:*:*:*:*:*:*:*:*
Matching versions