vulnerability
SolarWinds Orion Platform: Unrestricted access to Orion UserSettings SWIS entity for low-privilege users (CVE-2021-35248)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:L/Au:S/C:P/I:N/A:N) | Dec 20, 2021 | Feb 24, 2022 | Feb 24, 2022 |
Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
Dec 20, 2021
Added
Feb 24, 2022
Modified
Feb 24, 2022
Description
It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings.
Solution
solarwinds-orion-platform-upgrade-2020_2_6
References
- CVE-2021-35248
- https://attackerkb.com/topics/CVE-2021-35248
- URL-https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm
- URL-https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-3
- URL-https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35248
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.