CVE-2021-35226

An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35226	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:solarwinds:network_configuration_manager:*:*:*:*:*:*:*:*

History

03 Aug 2023, 17:15

Type	Values Removed	Values Added
Summary	An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.	An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.

Information

Published : 2022-10-10 23:15

Updated : 2024-02-28 19:29

NVD link : CVE-2021-35226

Mitre link : CVE-2021-35226

CVE.ORG link : CVE-2021-35226

JSON object : View

Products Affected

solarwinds

network_configuration_manager

CWE

CWE-326

Inadequate Encryption Strength

{"id": "CVE-2021-35226", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "psirt@solarwinds.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2022-10-10T23:15:14.193", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35226", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@solarwinds.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-326"}]}, {"type": "Secondary", "source": "psirt@solarwinds.com", "description": [{"lang": "en", "value": "CWE-326"}]}], "descriptions": [{"lang": "en", "value": "An entity in Network Configuration Manager product is misconfigured and exposing password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role.\n\n"}, {"lang": "es", "value": "Una entidad del producto Network Configuration Manager est\u00e1 configurada inapropiadamente y expone el campo de la contrase\u00f1a al Servicio de Informaci\u00f3n de Solarwinds (SWIS). Las credenciales expuestas est\u00e1n cifradas y requieren un acceso autenticado con un rol de NCM"}], "lastModified": "2023-08-03T21:15:10.437", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:network_configuration_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "762E85F0-3A43-4557-B76B-D59700B12A9B", "versionEndIncluding": "2020.2.5"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@solarwinds.com"}