// For flags

CVE-2021-35249

Domain Admin Broken Access Control

Severity Score

4.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation). This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it. This read-only activity is logged to the original domain and does not specify which domain was accessed.

Esta vulnerabilidad de control de acceso roto es referida específicamente a un administrador de dominio que puede acceder a los datos de configuración y de usuario de otros dominios a los que no debería tener acceso. Tenga en cuenta que el administrador no puede modificar los datos (operación de sólo lectura). Este problema de UAC conlleva a un filtrado de datos a usuarios no autorizados de un dominio, sin que sea registrado su acceso a los datos a menos que intenten modificarlos. Esta actividad de sólo lectura es registrada en el dominio original y no especifica a qué dominio ha sido accedido

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-06-22 CVE Reserved
  • 2022-05-17 CVE Published
  • 2023-12-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-284: Improper Access Control
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Solarwinds
Search vendor "Solarwinds"
Serv-u
Search vendor "Solarwinds" for product "Serv-u"
< 15.3.1
Search vendor "Solarwinds" for product "Serv-u" and version " < 15.3.1"
-
Affected