CVE-2021-35246 - OpenCVE

The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Solarwinds	Engineer\'s Toolset

Configuration 1 [-]

cpe:2.3:a:solarwinds:engineer\'s_toolset:2020.2.6:hotfix_4:*:*:*:*:*:*

References

Link	Resource
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246	Third Party Advisory
https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm	Release Notes Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: SolarWinds

Published: 2022-11-23T16:48:18.061230Z

Updated: 2023-10-23T12:45:14.632Z

Reserved: 2021-06-22T00:00:00

Link: CVE-2021-35246

JSON object: View

NVD Information

Status : Modified

Published: 2022-11-23T17:15:09.943

Modified: 2023-08-03T21:15:11.773

Link: CVE-2021-35246

JSON object: View

Redhat Information

No data.

CWE

CWE-319

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Engineer's Toolset", "vendor": "SolarWinds", "versions": [{"status": "affected", "version": "2022.3 and previous versions"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Justo Socarras"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}], "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Man in the Middle Attack"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Inappropriate Encoding for Output Context", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-10-23T12:45:14.632Z"}, "references": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246"}, {"name": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm"}, {"name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SolarWinds recommends to upgrade to the latest available version of Engineer's Toolset. <br>"}], "value": "SolarWinds recommends to upgrade to the latest available version of Engineer's Toolset.\u00a0\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Unprotected Transport of Credentials (HSTS) Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}, "cveMetadata": {"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "cveId": "CVE-2021-35246", "serial": 1, "state": "PUBLISHED", "dateUpdated": "2023-10-23T12:45:14.632Z", "dateReserved": "2021-06-22T00:00:00", "datePublished": "2022-11-23T16:48:18.061230Z", "assignerShortName": "SolarWinds"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:engineer\\'s_toolset:2020.2.6:hotfix_4:*:*:*:*:*:*", "matchCriteriaId": "FF5C5368-0EB3-4195-9199-E4AAACFFEA73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}, {"lang": "es", "value": "La aplicaci\u00f3n no impide que los usuarios se conecten a ella a trav\u00e9s de conexiones no cifradas. Un atacante capaz de modificar el tr\u00e1fico de red de un usuario leg\u00edtimo podr\u00eda evitar el uso de cifrado SSL/TLS por parte de la aplicaci\u00f3n y utilizar la aplicaci\u00f3n como plataforma para ataques contra sus usuarios."}], "id": "CVE-2021-35246", "lastModified": "2023-08-03T21:15:11.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@solarwinds.com", "type": "Secondary"}]}, "published": "2022-11-23T17:15:09.943", "references": [{"source": "psirt@solarwinds.com", "tags": ["Third Party Advisory"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246"}, {"source": "psirt@solarwinds.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "psirt@solarwinds.com", "type": "Secondary"}]}