CVE-2021-35214 - OpenCVE

The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021.

No CVSS v4.0

Attack Vector Physical

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:L/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Pingdom

Configuration 1 [-]

cpe:2.3:a:solarwinds:pingdom:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214

History

No history.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2021-10-12T15:18:07

Updated: 2024-08-04T00:33:51.181Z

Reserved: 2021-06-22T00:00:00

Link: CVE-2021-35214

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-10-12T16:15:07.370

Modified: 2021-10-18T18:18:41.343

Link: CVE-2021-35214

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Pingdom", "vendor": "SolarWinds", "versions": [{"lessThan": "13.09.2021", "status": "affected", "version": "prior to 13.09.2021", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Solarwinds would like to thank Taseer Hussain for disclosing vulnerabilities responsibly. "}], "descriptions": [{"lang": "en", "value": "The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Session Management Vulnerability in Pingdom ", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-10-15T13:39:21", "orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"}], "solutions": [{"lang": "en", "value": "This Vulnerability have been fixed on September 13, 2021"}], "source": {"defect": ["CVE-2021-35214"], "discovery": "EXTERNAL"}, "title": "Session Management Vulnerability ", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@solarwinds.com", "ID": "CVE-2021-35214", "STATE": "PUBLIC", "TITLE": "Session Management Vulnerability "}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Pingdom", "version": {"version_data": [{"version_affected": "<", "version_name": "prior to 13.09.2021", "version_value": "13.09.2021"}]}}]}, "vendor_name": "SolarWinds"}]}}, "credit": [{"lang": "eng", "value": "Solarwinds would like to thank Taseer Hussain for disclosing vulnerabilities responsibly. "}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Session Management Vulnerability in Pingdom "}]}]}, "references": {"reference_data": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214", "refsource": "MISC", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"}]}, "solution": [{"lang": "en", "value": "This Vulnerability have been fixed on September 13, 2021"}], "source": {"defect": ["CVE-2021-35214"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:33:51.181Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"}]}]}, "cveMetadata": {"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "assignerShortName": "SolarWinds", "cveId": "CVE-2021-35214", "datePublished": "2021-10-12T15:18:07", "dateReserved": "2021-06-22T00:00:00", "dateUpdated": "2024-08-04T00:33:51.181Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:pingdom:*:*:*:*:*:*:*:*", "matchCriteriaId": "A1507707-9EBD-4C54-A2AC-0FF4261DD3CF", "versionEndExcluding": "13.09.2021", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The vulnerability in SolarWinds Pingdom can be described as a failure to invalidate user session upon password or email address change. When running multiple active sessions in separate browser windows, it was observed a password or email address change could be changed without terminating the user session. This issue has been resolved on September 13, 2021."}, {"lang": "es", "value": "La vulnerabilidad en SolarWinds Pingdom puede describirse como un fallo en la invalidaci\u00f3n de la sesi\u00f3n de usuario al cambiar la contrase\u00f1a o la direcci\u00f3n de correo electr\u00f3nico. Cuando se ejecutaban varias sesiones activas en ventanas de navegador separadas, se observaba que se pod\u00eda cambiar la contrase\u00f1a o la direcci\u00f3n de correo electr\u00f3nico sin terminar la sesi\u00f3n de usuario. Este problema se ha resuelto el 13 de septiembre de 2021"}], "id": "CVE-2021-35214", "lastModified": "2021-10-18T18:18:41.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 4.0, "source": "psirt@solarwinds.com", "type": "Secondary"}]}, "published": "2021-10-12T16:15:07.370", "references": [{"source": "psirt@solarwinds.com", "tags": ["Broken Link"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35214"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "nvd@nist.gov", "type": "Primary"}]}