CVE-2021-35249: 
Serv-U Managed File Transfer Server vulnerability analysis and mitigation

CVE-2021-35249 is a broken access control vulnerability affecting SolarWinds Serv-U versions prior to 15.3.1. The vulnerability was disclosed on May 17, 2022, and allows domain administrators to access configuration and user data of other domains that they should not have access to. While the unauthorized access is limited to read-only operations, this represents a significant security concern in terms of data confidentiality (SolarWinds Advisory, CERT-FR).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. It is classified under CWE-284 (Improper Access Control). The vulnerability allows for network-based attacks with low attack complexity, requires low privileges, and does not need user interaction. The scope is unchanged, with low confidentiality impact but no impact on integrity or availability (NVD).

The primary impact of this vulnerability is unauthorized access to sensitive data. Domain administrators can view configuration and user data belonging to other domains, leading to potential data leaks. Importantly, while the unauthorized access is logged when modification attempts occur, read-only access is only logged to the original domain without specifying which domain was accessed, making it difficult to track potential data breaches (SolarWinds Advisory).

SolarWinds has addressed this vulnerability in Serv-U version 15.3.1. Organizations using affected versions (Serv-U 15.3 and earlier) should upgrade to version 15.3.1 or later to mitigate this security issue (SolarWinds Advisory).