CVE-2021-35214 - OpenCVE

The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Solarwinds	Pingdom

Configuration 1 [-]

cpe:2.3:a:solarwinds:pingdom:*:*:*:*:*:*:*:*

References

Link	Resource
https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: SolarWinds

Published: 2021-10-12T15:18:07

Updated: 2021-10-15T13:39:21

Reserved: 2021-06-22T00:00:00

Link: CVE-2021-35214

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-10-12T16:15:07.370

Modified: 2021-10-18T18:18:41.343

Link: CVE-2021-35214

JSON object: View

Redhat Information

No data.

CWE

CWE-613

{"containers": {"cna": {"affected": [{"product": "Pingdom", "vendor": "SolarWinds", "versions": [{"lessThan": "13.09.2021", "status": "affected", "version": "prior to 13.09.2021", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Solarwinds would like to thank Taseer Hussain for disclosing vulnerabilities responsibly. "}], "descriptions": [{"lang": "en", "value": "The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Session Management Vulnerability in Pingdom ", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-15T13:39:21", "orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"}], "solutions": [{"lang": "en", "value": "This Vulnerability have been fixed on September 13, 2021"}], "source": {"defect": ["CVE-2021-35214"], "discovery": "EXTERNAL"}, "title": "Session Management Vulnerability ", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@solarwinds.com", "ID": "CVE-2021-35214", "STATE": "PUBLIC", "TITLE": "Session Management Vulnerability "}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pingdom", "version": {"version_data": [{"version_affected": "<", "version_name": "prior to 13.09.2021", "version_value": "13.09.2021"}]}}]}, "vendor_name": "SolarWinds"}]}}, "credit": [{"lang": "eng", "value": "Solarwinds would like to thank Taseer Hussain for disclosing vulnerabilities responsibly. "}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Session Management Vulnerability in Pingdom "}]}]}, "references": {"reference_data": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214", "refsource": "MISC", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"}]}, "solution": [{"lang": "en", "value": "This Vulnerability have been fixed on September 13, 2021"}], "source": {"defect": ["CVE-2021-35214"], "discovery": "EXTERNAL"}}}}, "cveMetadata": {"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "assignerShortName": "SolarWinds", "cveId": "CVE-2021-35214", "datePublished": "2021-10-12T15:18:07", "dateReserved": "2021-06-22T00:00:00", "dateUpdated": "2021-10-15T13:39:21", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:pingdom:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1507707-9EBD-4C54-A2AC-0FF4261DD3CF", "versionEndExcluding": "13.09.2021", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021."}, {"lang": "es", "value": "La vulnerabilidad en SolarWinds Pingdom puede describirse como un fallo en la invalidaci\u00f3n de la sesi\u00f3n de usuario al cambiar la contrase\u00f1a o la direcci\u00f3n de correo electr\u00f3nico. Cuando se ejecutaban varias sesiones activas en ventanas de navegador separadas, se observaba que se pod\u00eda cambiar la contrase\u00f1a o la direcci\u00f3n de correo electr\u00f3nico sin terminar la sesi\u00f3n de usuario. Este problema se ha resuelto el 13 de septiembre de 2021"}], "id": "CVE-2021-35214", "lastModified": "2021-10-18T18:18:41.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 4.0, "source": "psirt@solarwinds.com", "type": "Secondary"}]}, "published": "2021-10-12T16:15:07.370", "references": [{"source": "psirt@solarwinds.com", "tags": ["Broken Link"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}