Описание
Serv-U web login screen was allowing characters that were not sanitized by the authentication mechanism. SolarWinds has updated the authentication mechanism to remedy this issue and prevent unauthorized parameters to be used in the Serv-U login screen With the Log4j issue in the wild, input fields across the internet have been tested for vulnerability. Although Serv-U was not affected by the log4j issue, It was discovered that better input validation could be implemented.
Serv-U web login screen was allowing characters that were not sanitized by the authentication mechanism. SolarWinds has updated the authentication mechanism to remedy this issue and prevent unauthorized parameters to be used in the Serv-U login screen With the Log4j issue in the wild, input fields across the internet have been tested for vulnerability. Although Serv-U was not affected by the log4j issue, It was discovered that better input validation could be implemented.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-35247
- https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-3_release_notes.htm
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-35247
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247
Связанные уязвимости
Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization. Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters. To insure proper input validation is completed in all environments. SolarWinds recommends scheduling an update to the latest version of Serv-U.
Уязвимости функции веб-аутентификации файлового сервера SolarWinds Serv-U File Server, позволяющая нарушителю повысить свои привилегии