Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.
Published 2022-01-10 14:10:18
Updated 2022-02-10 15:08:52
Source SolarWinds
View at NVD,   CVE.org
Vulnerability category: Input validation

CVE-2021-35247 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:
SolarWinds Serv-U Improper Input Validation Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability that allows attackers to build and send queries without sanitization.
Added on 2022-01-21 Action due date 2022-02-04

Exploit prediction scoring system (EPSS) score for CVE-2021-35247

Probability of exploitation activity in the next 30 days: 0.67%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 79 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-35247

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source
5.0
MEDIUM AV:N/AC:L/Au:N/C:N/I:P/A:N
10.0
2.9
NIST
5.3
MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
3.9
1.4
NIST
4.3
MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
2.8
1.4
SolarWinds

CWE ids for CVE-2021-35247

  • The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
    Assigned by:
    • nvd@nist.gov (Primary)
    • psirt@solarwinds.com (Secondary)

References for CVE-2021-35247

Products affected by CVE-2021-35247

This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!