CVE-2021-21978: VMware View Planner Remote Code Execution Vulnerability Alert

On March 2, 2021, VMware released a risk notice for View Planner, the vulnerability number is CVE-2021-21978. The CVSSv3 base score is 8.6.
There is a flaw in View Planner’s handling of uploaded files. This vulnerability allows an attacker to upload files to arbitrary directories and cause remote code execution under certain circumstances. The vulnerability poc has been made public.

Vulnerability Detail

Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.

Affected version

  • VMware View Planner 4.6

Solution

In this regard, we recommend that users upgrade VMware View Planner to the latest version in time.