Vulnerability Description
This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Solarwinds | Serv-U | < 15.3.1 |
Related Weaknesses (CWE)
References
- https://documentation.solarwinds.com/en/success_center/servu/content/release_notRelease NotesVendor Advisory
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35249Vendor Advisory
- https://documentation.solarwinds.com/en/success_center/servu/content/release_notRelease NotesVendor Advisory
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35249Vendor Advisory
FAQ
What is CVE-2021-35249?
CVE-2021-35249 is a vulnerability with a CVSS score of 4.3 (MEDIUM). This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin i...
How severe is CVE-2021-35249?
CVE-2021-35249 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-35249?
Check the references section above for vendor advisories and patch information. Affected products include: Solarwinds Serv-U.