Spring Boot
CVE-2021-26987
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework.
AnalysisAI
Element Plug-in for vCenter Server incorporates SpringBoot Framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework. Affected products include: Vmware Spring Boot, Netapp Element Plug-In For Vcenter Server, Netapp Management Services For Element Software And Netapp Hci, Netapp Solidfire \& Hci Management Node. Version information: prior to 1.3.2.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Spring Boot
View allMalicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions pri
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. Rated high severi
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed t
Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpo
{random.value}` property placeholder are generated with a non-cryptographic pseudo-random number generator, making them
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, th
When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an auth
In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially cra
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d lin
Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged att
Spring Boot's Mail auto-configuration omits hostname verification for SMTP over TLS/SSL, leaving applications exposed to
Share
External POC / Exploit Code
Leaving vuln.today