CVE-2021-35247

Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm	Release Notes Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247	Broken Link Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*

History

10 Feb 2022, 15:08

Type	Values Removed	Values Added
References	~~(MISC) https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm -~~	(MISC) https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm - Release Notes, Vendor Advisory

25 Jan 2022, 20:15

Type	Values Removed	Values Added
Summary	Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters	Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.
References		(MISC) https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm -

19 Jan 2022, 17:12

Type	Values Removed	Values Added
References	~~(MISC) https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 - Broken Link~~	(MISC) https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 - Broken Link, Vendor Advisory
CVSS	v2 : ~~7.5~~ v3 : ~~9.8~~	v2 : 5.0 v3 : 5.3

18 Jan 2022, 18:15

Type	Values Removed	Values Added
Summary	Serv-U web login screen was allowing characters that were not sanitized by the authentication mechanism. SolarWinds has updated the authentication mechanism to remedy this issue and prevent unauthorized parameters to be used in the Serv-U login screen With the Log4j issue in the wild, input fields across the internet have been tested for vulnerability. Although Serv-U was not affected by the log4j issue, It was discovered that better input validation could be implemented.	Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters

14 Jan 2022, 01:40

Type	Values Removed	Values Added
References	~~(MISC) https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 -~~	(MISC) https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 - Broken Link
CWE		CWE-20
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8
CPE		cpe:2.3:a:solarwinds:serv-u::::::::

10 Jan 2022, 14:14

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-01-10 14:10

Updated : 2024-02-04 22:08

NVD link : CVE-2021-35247

Mitre link : CVE-2021-35247

CVE.ORG link : CVE-2021-35247

JSON object : View

Products Affected

solarwinds

serv-u

CWE

CWE-20

Improper Input Validation

5.3 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

JSON object

Attach tags to CVE-2021-35247

5.3^/10

5.0^/10

Attach tags to `CVE-2021-35247`