First published: Tue Oct 19 2021(Updated: )
The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.1 and earlier. These methods are intended for diagnostic purposes only. If enabled, the web server will respond to requests that use these methods by returning exact HTTP request that was received in the response to the client. This may lead to the disclosure of sensitive information such as internal authentication headers appended by reverse proxies.
Credit: psirt@solarwinds.com
Affected Software | Affected Version | How to fix |
---|---|---|
Solarwinds Kiwi Syslog Server | <=9.7.2 |
SolarWinds recommends upgrading to both the latest version of Kiwi Syslog Server 9.8 as soon as it becomes available.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-35233 is a vulnerability in Kiwi Syslog Server 9.7.1 and earlier where the HTTP TRACK & TRACE methods are enabled, allowing the web server to respond to requests by returning the exact HTTP request received.
The severity of CVE-2021-35233 is medium with a severity value of 5.3.
To fix CVE-2021-35233, upgrade to Kiwi Syslog Server version 9.7.2 or later.
The Common Weakness Enumeration (CWE) for CVE-2021-35233 is CWE-16.
You can find more information about CVE-2021-35233 in the SolarWinds documentation and security advisories.