CVE-2021-35001

MEDIUM

BMC Track-It! - Authenticated Information Disclosure via GetData Endpoint

Title source: llm
STIX 2.1

Description

BMC Track-It! GetData Missing Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BMC Track-It!. Authentication is required to exploit this vulnerability. The specific flaw exists within the GetData endpoint. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-14527.

References (2)

Core 2
Core References
Third Party Advisory x_research-advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-001/

Scores

CVSS v3 6.5
EPSS 0.0076
EPSS Percentile 50.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (7)
bmc/track-it\! 20.19.01
bmc/track-it\! 20.19.02
bmc/track-it\! 20.19.03
bmc/track-it\! 20.20.01
bmc/track-it\! 20.20.02
bmc/track-it\! 20.20.03
bmc/track-it\! 20.21.01
Published May 07, 2024
Tracked Since Feb 18, 2026