CVE-2021-35246 - OpenCVE

The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Engineer\'s Toolset

Configuration 1 [-]

cpe:2.3:a:solarwinds:engineer\'s_toolset:2020.2.6:hotfix_4:*:*:*:*:*:*

No data.

References

Link	Providers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246
https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246

History

No history.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2022-11-23T16:48:18.061230Z

Updated: 2024-08-04T00:33:51.305Z

Reserved: 2021-06-22T00:00:00

Link: CVE-2021-35246

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-23T17:15:09.943

Modified: 2023-08-03T21:15:11.773

Link: CVE-2021-35246

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Engineer's Toolset", "vendor": "SolarWinds", "versions": [{"status": "affected", "version": "2022.3 and previous versions"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Justo Socarras"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}], "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Man in the Middle Attack"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Inappropriate Encoding for Output Context", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-10-23T12:45:14.632Z"}, "references": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246"}, {"name": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm"}, {"name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SolarWinds recommends to upgrade to the latest available version of Engineer's Toolset. <br>"}], "value": "SolarWinds recommends to upgrade to the latest available version of Engineer's Toolset.\u00a0\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Unprotected Transport of Credentials (HSTS) Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:33:51.305Z"}, "title": "CVE Program Container", "references": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "tags": ["x_transferred"]}, {"name": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "tags": ["x_transferred"]}, {"name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "tags": ["x_transferred"]}]}]}, "cveMetadata": {"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "cveId": "CVE-2021-35246", "serial": 1, "state": "PUBLISHED", "dateUpdated": "2024-08-04T00:33:51.305Z", "dateReserved": "2021-06-22T00:00:00", "datePublished": "2022-11-23T16:48:18.061230Z", "assignerShortName": "SolarWinds"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:engineer\\'s_toolset:2020.2.6:hotfix_4:*:*:*:*:*:*", "matchCriteriaId": "FF5C5368-0EB3-4195-9199-E4AAACFFEA73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}, {"lang": "es", "value": "La aplicaci\u00f3n no impide que los usuarios se conecten a ella a trav\u00e9s de conexiones no cifradas. Un atacante capaz de modificar el tr\u00e1fico de red de un usuario leg\u00edtimo podr\u00eda evitar el uso de cifrado SSL/TLS por parte de la aplicaci\u00f3n y utilizar la aplicaci\u00f3n como plataforma para ataques contra sus usuarios."}], "id": "CVE-2021-35246", "lastModified": "2023-08-03T21:15:11.773", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@solarwinds.com", "type": "Secondary"}]}, "published": "2022-11-23T17:15:09.943", "references": [{"source": "psirt@solarwinds.com", "tags": ["Third Party Advisory"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246"}, {"source": "psirt@solarwinds.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "psirt@solarwinds.com", "type": "Secondary"}]}