CISA KEV 정보
| 취약점명 | SolarWinds Serv-U Improper Input Validation Vulnerability |
|---|---|
| 설명 | SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability that allows attackers to build and send queries without sanitization. |
| 조치사항 | Apply updates per vendor instructions. |
| 랜섬웨어 캠페인 악용 | Unknown |
| CWE | CWE-20 |
| 등록일 (KEV) | 2022-01-21 |
| 조치 기한 | 2022-02-04 |
| 추가 참고 | https://nvd.nist.gov/vuln/detail/CVE-2021-35247 |
NVD 상세 정보
CVSS v3.1: 4.3 MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NCVSS v2.0: 5.0
AV:N/AC:L/Au:N/C:N/I:P/A:N설명: Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.
CWE: CWE-20
참조
- https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm [Release Notes, Vendor Advisory]
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 [Broken Link, Vendor Advisory]
- https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm [Release Notes, Vendor Advisory]
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 [Broken Link, Vendor Advisory]
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35247 [US Government Resource]
This product uses the NVD API but is not endorsed or certified by the NVD.