CVE-2021-35247

Improper Input Validation Vulnerability in Serv-U

CVSS 4.3 MEDIUMEPSS 3.4%● KEVCWE-20

In short

The Serv-U web login screen accepted unsanitized characters when authenticating users through LDAP, potentially allowing attackers to bypass security checks or cause unexpected behavior. While LDAP servers typically ignore malformed input, the vulnerability could be exploited in certain configurations.

Technical detail

This improper input validation vulnerability (CWE-20) affects the LDAP authentication mechanism in Serv-U's web interface. An unauthenticated attacker can send specially crafted input containing insufficiently sanitized characters to the login screen; although most LDAP servers reject such input, certain configurations or downstream systems may process it unexpectedly, potentially leading to authentication bypass or injection attacks.

Summary generated and translated by AI from the official description.

Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Affected products

SolarWinds · Serv-U

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35247 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247