CSV injection in VMware, Inc products - CVE-2021-22035
Published: October 13, 2021
Vulnerability identifier: #VU57322
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-22035
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: VMware, Inc
Affected software:
Aria Operations for Logs (formerly vRealize Log Insight)
Cloud Foundation (vRLI)
vRealize Suite Lifecycle Manager
Aria Operations for Logs (formerly vRealize Log Insight)
Cloud Foundation (vRLI)
vRealize Suite Lifecycle Manager
Detailed vulnerability description
The vulnerability allows a remote attacker to inject arbitrary code into CSV files.
The vulnerability exists due to improper input validation in interactive analytics export function. A remote authenticated attacker can inject arbitrary code into a CSV file.
How to mitigate CVE-2021-22035
Install updates from vendor's website.