CVE-2021-22035 - Vulnerability Details - OpenCVE

VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Vmware	Cloud Foundation Vrealize Log Insight Vrealize Suite Lifecycle Manager

Configuration 1 [-]

OR	cpe:2.3:a:vmware:cloud_foundation::::::::
	cpe:2.3:a:vmware:vrealize_log_insight::::::::
	cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager::::::::

No data.

References

Link	Providers
https://www.vmware.com/security/advisories/VMSA-2021-0022.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: vmware

Published: 2021-10-13T15:50:54

Updated: 2024-08-03T18:30:24.009Z

Reserved: 2021-01-04T00:00:00

Link: CVE-2021-22035

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-10-13T16:15:07.690

Modified: 2024-11-21T05:49:28.620

Link: CVE-2021-22035

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "VMware vRealize Log Insight", "vendor": "n/a", "versions": [{"status": "affected", "version": "VMware vRealize Log Insight (8.x prior to 8.6)"}]}], "descriptions": [{"lang": "en", "value": "VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment."}], "problemTypes": [{"descriptions": [{"description": "CSV injection vulnerability in Log Insight", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-13T15:50:54", "orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.vmware.com/security/advisories/VMSA-2021-0022.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "ID": "CVE-2021-22035", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "VMware vRealize Log Insight", "version": {"version_data": [{"version_value": "VMware vRealize Log Insight (8.x prior to 8.6)"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CSV injection vulnerability in Log Insight"}]}]}, "references": {"reference_data": [{"name": "https://www.vmware.com/security/advisories/VMSA-2021-0022.html", "refsource": "MISC", "url": "https://www.vmware.com/security/advisories/VMSA-2021-0022.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:30:24.009Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.vmware.com/security/advisories/VMSA-2021-0022.html"}]}]}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2021-22035", "datePublished": "2021-10-13T15:50:54", "dateReserved": "2021-01-04T00:00:00", "dateUpdated": "2024-08-03T18:30:24.009Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:cloud_foundation:*:*:*:*:*:*:*:*", "matchCriteriaId": "67763E17-BABE-4A25-95BC-2B5F1666705C", "versionEndIncluding": "4.3.1", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vrealize_log_insight:*:*:*:*:*:*:*:*", "matchCriteriaId": "BECE8925-3981-4FB9-979E-CDFC1A55A13F", "versionEndExcluding": "8.60", "versionStartExcluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vrealize_suite_lifecycle_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "61B2C07D-4AD4-458B-86CA-FB2CA45A8EA7", "versionEndIncluding": "8.2", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "VMware vRealize Log Insight (8.x prior to 8.6) contains a CSV(Comma Separated Value) injection vulnerability in interactive analytics export function. An authenticated malicious actor with non-administrative privileges may be able to embed untrusted data prior to exporting a CSV sheet through Log Insight which could be executed in user's environment."}, {"lang": "es", "value": "VMware vRealize Log Insight (versiones 8.x anteriores a 8.6) contienen una vulnerabilidad de inyecci\u00f3n de CSV (Valores Separados por Comas) en la funci\u00f3n interactive analytics export. Un actor malicioso autenticado con privilegios no administrativos puede ser capaz de insertar datos no confiables antes de exportar una hoja CSV mediante Log Insight que podr\u00eda ser ejecutada en el entorno del usuario"}], "id": "CVE-2021-22035", "lastModified": "2024-11-21T05:49:28.620", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-10-13T16:15:07.690", "references": [{"source": "security@vmware.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.vmware.com/security/advisories/VMSA-2021-0022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.vmware.com/security/advisories/VMSA-2021-0022.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}