CVE-2021-21978: VMware View Planner Remote Code Execution Vulnerability Alert
On March 2, 2021, VMware released a risk notice for View Planner, the vulnerability number is CVE-2021-21978. The CVSSv3 base score is 8.6.
There is a flaw in View Planner’s handling of uploaded files. This vulnerability allows an attacker to upload files to arbitrary directories and cause remote code execution under certain circumstances. The vulnerability poc has been made public.
Vulnerability Detail
Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.
Affected version
- VMware View Planner 4.6
Solution
In this regard, we recommend that users upgrade VMware View Planner to the latest version in time.
