VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 23, 2021· Updated Sep 16, 2024

CVE-2021-36299

CVE-2021-36299

Description

Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00 contain an SQL injection vulnerability. A remote authenticated malicious user with low privileges may potentially exploit this vulnerability to cause information disclosure or denial of service by supplying specially crafted input data to the affected application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dell iDRAC9 4.40.00.00–4.40.29.00 and 5.00.00.00 have an SQL injection flaw; a low-privilege remote authenticated attacker can cause info disclosure or denial of service via crafted input.

Vulnerability

Dell iDRAC9 versions 4.40.00.00 and later, but prior to 4.40.29.00 and 5.00.00.00, contain an SQL injection vulnerability [1]. A remote authenticated malicious user with low privileges may exploit this by supplying specially crafted input data to the affected application, leading to information disclosure or denial of service [1].

Exploitation

The attacker must be authenticated with low privileges and have network access to the iDRAC9 web interface [1]. No user interaction beyond submitting crafted input is required; the vulnerability is reachable via normal application functionality [1]. The attack does not require a race window or special timing [1].

Impact

Successful exploitation can cause information disclosure (reading sensitive data) or denial of service (disrupting application availability) [1]. The CVSS base score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L) [1], indicating high confidentiality impact with no integrity impact and limited availability impact.

Mitigation

Dell released fixed versions: iDRAC9 4.40.29.00 and 5.00.00.00 [1]. Users should update to these or later builds. No workarounds are documented; upgrading is the sole mitigation [1].

References
  1. DSA-2021-177: Dell EMC iDRAC Security Update for Multiple Security Vulnerabilities

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.