CVE-2021-35247

Published on: 01/07/2022 12:00:00 AM UTC

Last Modified on: 02/10/2022 03:08:00 PM UTC

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Certain versions of Serv-u from Solarwinds contain the following vulnerability:

Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.

  • CVE-2021-35247 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as MEDIUM severity.
  • Affected Vendor/Software: URL Logo SolarWinds - Serv-U version < 15.3

CVSS3 Score: 5.3 - MEDIUM

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED NONE LOW NONE

CVSS2 Score: 5 - MEDIUM

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
NONE PARTIAL NONE

CVE References

Description Tags Link
Serv-U File Server 15.3 Release Notes documentation.solarwinds.com
text/html
URL Logo MISC documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm
Page Not Found. www.solarwinds.com
text/html
Inactive LinkNot Archived
URL Logo MISC www.solarwinds.com/trust-center/security-advisories/cve-2021-35247

Related QID Numbers

  • 376260 SolarWinds Serv-U Improper Input Validation Vulnerability

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationSolarwindsServ-uAllAllAllAll
ApplicationSolarwindsServ-uAllAllAllAll
  • cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*:
  • cpe:2.3:a:solarwinds:serv-u:*:*:*:*:*:*:*:*:

Discovery Credit

SolarWinds would like to thank Jonathan Bar Or of Microsoft (@yo_yo_yo_jbo) for reporting this vulnerability

Social Mentions

Source Title Posted (UTC)
Twitter Icon @yo_yo_yo_jbo Just got assigned with CVE-2021-35247, wait for January to see something funny. 2021-12-28 16:56:38
Twitter Icon @CVEreport CVE-2021-35247 : Serv-U web login screen was allowing characters that were not sanitized by the authentication mech… twitter.com/i/web/status/1… 2022-01-07 23:16:13
Reddit Logo Icon /r/cybersecurity Top cybersecurity stories for the week of 01-17-22 to 01-21-22 2022-01-21 13:49:25
© CVE.report 2022 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report