Lucene search

SolarWindsCVELIST:CVE-2021-35212

HistoryAug 31, 2021 - 5:00 p.m.

CVE-2021-35212 Blind SQL injection Vulnerability

2021-08-3117:00:15

SolarWinds

www.cve.org

cve-2021-35212

sql injection

privilege escalation

orion platform

zdi team

blind boolean

full read/write

database content

orion certificate

authenticated user

CVSS3

8.9

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

AI Score

9.3

Confidence

High

EPSS

0.003

Percentile

69.3%

JSON

An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.

CNA Affected

[
  {
    "product": "Orion Platform",
    "vendor": "SolarWinds",
    "versions": [
      {
        "lessThan": "2020.2.5 HF1 ",
        "status": "affected",
        "version": "2020.2.5 and previous versions",
        "versionType": "custom"
      }
    ]
  }
]

References

documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm

documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm

www.solarwinds.com/trust-center/security-advisories/cve-2021-35212

www.zerodayinitiative.com/advisories/ZDI-21-1243/

CVSS3

8.9

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

AI Score

9.3

Confidence

High

EPSS

0.003

Percentile

69.3%

JSON

Related for CVELIST:CVE-2021-35212