Skip to main content

Spring Boot CVE-2021-26987

CRITICAL
2021-03-15 security-alert@netapp.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Mar 15, 2021 - 22:15 nvd
CRITICAL 9.8

DescriptionNVD

Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework.

AnalysisAI

Element Plug-in for vCenter Server incorporates SpringBoot Framework. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

Element Plug-in for vCenter Server incorporates SpringBoot Framework. SpringBoot Framework versions prior to 1.3.2 are susceptible to a vulnerability which when successfully exploited could lead to Remote Code Execution. All versions of Element Plug-in for vCenter Server, Management Services versions prior to 2.17.56 and Management Node versions through 12.2 contain vulnerable versions of SpringBoot Framework. Affected products include: Vmware Spring Boot, Netapp Element Plug-In For Vcenter Server, Netapp Management Services For Element Software And Netapp Hci, Netapp Solidfire \& Hci Management Node. Version information: prior to 1.3.2.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2017-8046 CRITICAL POC
9.8 Jan 04

Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions pri

CVE-2022-27772 HIGH POC
7.8 Mar 30

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. Rated high severi

CVE-2023-20873 CRITICAL
9.8 Apr 20

In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed t

CVE-2026-40976 CRITICAL
9.1 Apr 28

Authentication bypass in Spring Boot 4.0.0-4.0.5 allows remote unauthenticated attackers to access all application endpo

CVE-2026-40975 HIGH
7.5 Apr 28

{random.value}` property placeholder are generated with a non-cryptographic pseudo-random number generator, making them

CVE-2023-20883 HIGH
7.5 May 26

In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, th

CVE-2023-22602 HIGH
7.5 Jan 14

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an auth

CVE-2023-34055 MEDIUM
6.5 Nov 28

In Spring Boot versions 2.7.0 - 2.7.17, 3.0.0-3.0.12 and 3.1.0-3.1.5, it is possible for a user to provide specially cra

CVE-2018-1196 MEDIUM
5.9 Mar 19

Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d lin

CVE-2026-41001 MEDIUM
5.3 Jun 11

Insecure temporary file handling in Spring Boot's ArtemisEmbeddedConfigurationFactory allows a local, low-privileged att

CVE-2026-40992 MEDIUM
5.0 Jun 11

Spring Boot's Mail auto-configuration omits hostname verification for SMTP over TLS/SSL, leaving applications exposed to

Share

CVE-2021-26987 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy