CVE-2021-35248

Summary

It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings.

Affected Software

VendorProductVersion RangeStatus
SolarWindsOrion2020.2.6 HF 2 and previous versions < 2020.2.6 HF 3affected

Weaknesses

  • CWE-732: CWE-732 Improper Access Control

Workarounds

If you are unable to upgrade immediately. See SolarWinds Knowledgebase Article Below:

https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-Unrestricted-access-to-Orion-UserSettings-SWIS-entity-for-low-privilege-users-CVE-2021-35248

ADP Enrichment

CVE Program Container

Additional References

References