CVE-2021-35246

Unprotected Transport of Credentials (HSTS) Vulnerability

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users.

La aplicación no impide que los usuarios se conecten a ella a través de conexiones no cifradas. Un atacante capaz de modificar el tráfico de red de un usuario legítimo podría evitar el uso de cifrado SSL/TLS por parte de la aplicación y utilizar la aplicación como plataforma para ataques contra sus usuarios.

*Credits: Justo Socarras

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-06-22 CVE Reserved
2022-11-23 CVE Published
2025-03-30 EPSS Updated
2025-04-25 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-319: Cleartext Transmission of Sensitive Information

CAPEC

CAPEC-94: Adversary in the Middle (AiTM)

References (3)

URL	Tag	Source
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246	2023-08-03

URL	Date	SRC
https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm	2023-08-03

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Solarwinds Search vendor "Solarwinds"		Engineer\'s Toolset Search vendor "Solarwinds" for product "Engineer\'s Toolset"				2020.2.6 Search vendor "Solarwinds" for product "Engineer\'s Toolset" and version "2020.2.6"		hotfix_4		Affected