CVE-2021-35243 - OpenCVE

The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Web Help Desk

Configuration 1 [-]

cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243

History

No history.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2021-12-23T19:48:34.603987Z

Updated: 2024-09-16T17:18:45.942Z

Reserved: 2021-06-22T00:00:00

Link: CVE-2021-35243

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-12-23T20:15:11.480

Modified: 2022-01-07T16:26:29.533

Link: CVE-2021-35243

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Web Help Desk", "vendor": "SolarWinds", "versions": [{"status": "affected", "version": "12.7.7 and previous versions 12.7.7 HF1"}]}], "datePublic": "2021-12-22T00:00:00", "descriptions": [{"lang": "en", "value": "The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-749", "description": "CWE-749 Exposed Dangerous Method or Function", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-12-27T18:48:19", "orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243"}, {"tags": ["x_refsource_MISC"], "url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"}], "solutions": [{"lang": "en", "value": "Affected customers are advised to upgrade to 12.7.7 Hotfix 1 once it becomes available."}], "source": {"defect": ["CVE-2021-35243"], "discovery": "EXTERNAL"}, "title": "HTTP PUT & DELETE Methods Enabled", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@solarwinds.com", "DATE_PUBLIC": "2021-12-22T14:30:00.000Z", "ID": "CVE-2021-35243", "STATE": "PUBLIC", "TITLE": "HTTP PUT & DELETE Methods Enabled"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Web Help Desk", "version": {"version_data": [{"version_affected": "=", "version_name": "12.7.7 and previous versions", "version_value": "12.7.7 HF1"}]}}]}, "vendor_name": "SolarWinds"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-749 Exposed Dangerous Method or Function"}]}]}, "references": {"reference_data": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243", "refsource": "MISC", "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243"}, {"name": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US", "refsource": "MISC", "url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"}]}, "solution": [{"lang": "en", "value": "Affected customers are advised to upgrade to 12.7.7 Hotfix 1 once it becomes available."}], "source": {"defect": ["CVE-2021-35243"], "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:33:51.244Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"}]}]}, "cveMetadata": {"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "assignerShortName": "SolarWinds", "cveId": "CVE-2021-35243", "datePublished": "2021-12-23T19:48:34.603987Z", "dateReserved": "2021-06-22T00:00:00", "dateUpdated": "2024-09-16T17:18:45.942Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:*", "matchCriteriaId": "D41CAE30-00B6-4F9F-95AD-42F02E9E9CF8", "versionEndIncluding": "12.7.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity."}, {"lang": "es", "value": "Los m\u00e9todos HTTP PUT y DELETE fueron habilitados en el servidor web de Web Help Desk (12.7.7 y anteriores), permitiendo a los usuarios ejecutar peticiones HTTP peligrosas. El m\u00e9todo HTTP PUT se utiliza normalmente para cargar datos que se guardan en el servidor con una URL proporcionada por el usuario. Mientras que el m\u00e9todo DELETE solicita que el servidor de origen elimine la asociaci\u00f3n entre el recurso de destino y su funcionalidad actual. El uso inadecuado de estos m\u00e9todos puede conducir a una p\u00e9rdida de integridad"}], "id": "CVE-2021-35243", "lastModified": "2022-01-07T16:26:29.533", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@solarwinds.com", "type": "Secondary"}]}, "published": "2021-12-23T20:15:11.480", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US"}, {"source": "psirt@solarwinds.com", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-749"}], "source": "psirt@solarwinds.com", "type": "Secondary"}]}