Lucene search

SolarWindsCVELIST:CVE-2021-35248

HistoryDec 20, 2021 - 8:08 p.m.

CVE-2021-35248 Unrestricted access to Orion.UserSettings SWIS entity for low-privilege users

2021-12-2020:08:24

CWE-732

SolarWinds

www.cve.org

cve-2021-35248

orion.usersettings

swis entity

low-privilege users

unrestricted access

guest accounts

basic settings

CVSS3

6.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

29.6%

JSON

It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "Orion",
    "vendor": "SolarWinds",
    "versions": [
      {
        "lessThan": "2020.2.6 HF 3",
        "status": "affected",
        "version": "2020.2.6 HF 2 and previous versions",
        "versionType": "custom"
      }
    ]
  }
]

References

documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm

support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-3

www.solarwinds.com/trust-center/security-advisories/CVE-2021-35248

CVSS3

6.8

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

EPSS

0.001

Percentile

29.6%

JSON

Related for CVELIST:CVE-2021-35248