Vulnerability CVE-2021-35223

Vulnerability CVE-2021-35223

Published: 2021-08-31

Description:

The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of ??user string variables,? allowing remote code execution.

Type:

NVD-CWE-noinfo

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVSS Base Score	Impact Subscore	Exploitability Subscore
6.5/10	6.4/10	8/10

Exploit range	Attack complexity	Authentication
Remote	Low	Single time
Confidentiality impact	Integrity impact	Availability impact
Partial	Partial	Partial

Affected software
Solarwinds -> Serv-u

References:

https://support.solarwinds.com/SuccessCenter/s/article/Execute-Command-Function-Allows-Remote-Code-Execution-RCE-Vulnerability-CVE-2021-35223?language=en_US

https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-2-4_release_notes.htm

https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35223

Vulnerability CVE-2021-35223

The Serv-U File Server allows for events such as user login failures to be audited by executing a command. This command can be supplied with parameters that can take the form of ??user string variables,? allowing remote code execution.

NVD-CWE-noinfo

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:P/A:P)

6.5/10

6.4/10

8/10

Remote

Low

Single time

Partial

Partial

Partial

Affected software

References: