CVE-2021-35246 - Vulnerability Details - OpenCVE

The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Solarwinds	Engineer\'s Toolset

Configuration 1 [-]

cpe:2.3:a:solarwinds:engineer\'s_toolset:2020.2.6:hotfix_4:*:*:*:*:*:*

No data.

References

Link	Providers
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246
https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246

History

Fri, 25 Apr 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2022-11-23T16:48:18.061Z

Updated: 2025-04-25T18:18:44.414Z

Reserved: 2021-06-22T00:00:00.000Z

Link: CVE-2021-35246

Vulnrichment

Updated: 2024-08-04T00:33:51.305Z

NVD

Status : Modified

Published: 2022-11-23T17:15:09.943

Modified: 2024-11-21T06:12:08.733

Link: CVE-2021-35246

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Engineer's Toolset", "vendor": "SolarWinds", "versions": [{"status": "affected", "version": "2022.3 and previous versions"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Justo Socarras"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}], "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Man in the Middle Attack"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319 Inappropriate Encoding for Output Context", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-10-23T12:45:14.632Z"}, "references": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246"}, {"name": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm"}, {"name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SolarWinds recommends to upgrade to the latest available version of Engineer's Toolset. <br>"}], "value": "SolarWinds recommends to upgrade to the latest available version of Engineer's Toolset.\u00a0\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Unprotected Transport of Credentials (HSTS) Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:33:51.305Z"}, "title": "CVE Program Container", "references": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "tags": ["x_transferred"]}, {"name": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "tags": ["x_transferred"]}, {"name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-25T18:18:35.891700Z", "id": "CVE-2021-35246", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T18:18:44.414Z"}}]}, "cveMetadata": {"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "cveId": "CVE-2021-35246", "serial": 1, "state": "PUBLISHED", "dateUpdated": "2025-04-25T18:18:44.414Z", "dateReserved": "2021-06-22T00:00:00.000Z", "datePublished": "2022-11-23T16:48:18.061Z", "assignerShortName": "SolarWinds"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "tags": ["x_transferred"]}, {"url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "name": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "tags": ["x_transferred"]}, {"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T00:33:51.305Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-35246", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-25T18:18:35.891700Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-25T18:18:03.445Z"}}], "cna": {"title": "Unprotected Transport of Credentials (HSTS) Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Justo Socarras"}], "impacts": [{"capecId": "CAPEC-94", "descriptions": [{"lang": "en", "value": "CAPEC-94 Man in the Middle Attack"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SolarWinds", "product": "Engineer's Toolset", "versions": [{"status": "affected", "version": "2022.3 and previous versions"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "SolarWinds recommends to upgrade to the latest available version of Engineer's Toolset.\u00a0\n", "supportingMedia": [{"type": "text/html", "value": "SolarWinds recommends to upgrade to the latest available version of Engineer's Toolset. <br>", "base64": false}]}], "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246", "name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246"}, {"url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm", "name": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm"}, {"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246", "name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users.", "supportingMedia": [{"type": "text/html", "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-319", "description": "CWE-319 Inappropriate Encoding for Output Context"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-10-23T12:45:14.632Z"}}}, "cveMetadata": {"cveId": "CVE-2021-35246", "state": "PUBLISHED", "serial": 1, "dateUpdated": "2025-04-25T18:18:44.414Z", "dateReserved": "2021-06-22T00:00:00.000Z", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "datePublished": "2022-11-23T16:48:18.061Z", "assignerShortName": "SolarWinds"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:engineer\\'s_toolset:2020.2.6:hotfix_4:*:*:*:*:*:*", "matchCriteriaId": "FF5C5368-0EB3-4195-9199-E4AAACFFEA73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption and use the application as a platform for attacks against its users."}, {"lang": "es", "value": "La aplicaci\u00f3n no impide que los usuarios se conecten a ella a trav\u00e9s de conexiones no cifradas. Un atacante capaz de modificar el tr\u00e1fico de red de un usuario leg\u00edtimo podr\u00eda evitar el uso de cifrado SSL/TLS por parte de la aplicaci\u00f3n y utilizar la aplicaci\u00f3n como plataforma para ataques contra sus usuarios."}], "id": "CVE-2021-35246", "lastModified": "2024-11-21T06:12:08.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-11-23T17:15:09.943", "references": [{"source": "psirt@solarwinds.com", "tags": ["Third Party Advisory"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246"}, {"source": "psirt@solarwinds.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35246"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.solarwinds.com/en/success_center/ets/content/release_notes/ets_2022-4_release_notes.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35246"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "psirt@solarwinds.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}