Unrestricted access to Orion.UserSettings SWIS entity for low-privilege users

(CVE-2021-35248)

Summary

Insecure permissions allow low-privilege Orion users to query the  Orion.UserSettings SWIS entity. This will present usernames and basic user settings.

Affected Products

Orion 2020.2.6 HF2 and earlier

Fixed Software Release

Orion 2020.2.6 HF3

Advisory Details

Severity

6.8 Medium

Advisory ID

CVE-2021-35248

First Published

12/20/2021

Fixed Version

Orion 2020.2.6 HF3

Workarounds

Workaround 1

CVSS Score

CVSS:3.0/AV:A/AC:L/PR:L/UI:N/
S:C/C:H/I:N/A:N