CVE-2021-35248

Unrestricted access to Orion.UserSettings SWIS entity for low-privilege users

Description

It has been reported that any Orion user, e.g. guest accounts can query the Orion.UserSettings entity and enumerate users and their basic settings.

Solution:

This vulnerability has been fixed in Orion version 2020.2.6 HF3, customers are advised to upgrade to the latest version once it it is available.

Workaround:

If you are unable to upgrade immediately. See SolarWinds Knowledgebase Article Below: https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-Unrestricted-access-to-Orion-UserSettings-SWIS-entity-for-low-privilege-users-CVE-2021-35248

Link	Tags
https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35248	vendor advisory
https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-3	release notes vendor advisory
https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm	vendor advisory

What is the severity of CVE-2021-35248?: CVE-2021-35248 has been scored as a medium severity vulnerability.
How to fix CVE-2021-35248?: To fix CVE-2021-35248: This vulnerability has been fixed in Orion version 2020.2.6 HF3, customers are advised to upgrade to the latest version once it it is available.
Is CVE-2021-35248 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2021-35248 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-35248?: CVE-2021-35248 affects SolarWinds Orion.