Cyber Posture

CVE-2021-35484

High

Published: 03 March 2026

Published
03 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0003 10.1th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-35484 is a high-severity SQL Injection (CWE-89) vulnerability in Nokia Impact. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of HTTP GET parameters like sortColumn to block time-based blind SQL injection and prevent extraction of sensitive database information.

SI-9 Information Input Restrictions good match
prevent

SI-9 enforces restrictions and sanitization on inputs such as the sortColumn parameter, directly mitigating SQL injection vulnerabilities in the /ui/rest-proxy/campaign/statistic endpoint.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely remediation of identified flaws like CVE-2021-35484 through patching or code fixes to eliminate the SQL injection vulnerability.

NVD Description

Nokia IMPACT through 19.11.2.10-20210118042150283 allows an authenticated user to perform a Time-based Boolean Blind SQL Injection attack on the endpoint /ui/rest-proxy/campaign/statistic (for the View Campaign page) via the sortColumn HTTP GET parameter. This allows an attacker to access sensitive data…

more

from the database and obtain access to the database user, database name, and database version information.

Deeper analysisAI

CVE-2021-35484 is a Time-based Boolean Blind SQL Injection vulnerability (CWE-89) affecting Nokia IMPACT through version 19.11.2.10-20210118042150283. The issue resides in the /ui/rest-proxy/campaign/statistic endpoint, used for the View Campaign page, where the sortColumn HTTP GET parameter fails to properly sanitize input, enabling SQL injection attacks. The vulnerability has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting high confidentiality impact with network accessibility and low attack complexity.

An authenticated user can exploit this vulnerability remotely by crafting malicious sortColumn parameter values to conduct time-based blind SQL injection. Successful exploitation allows extraction of sensitive data from the database, including the database user credentials, database name, and database version information.

Advisories and additional details are available from Gruppo TIM at https://www.gruppotim.it/it/footer/red-team/2021/Motive-Impact-CVE-2021-35484.html, Nokia's IMPACT IoT platform page at https://www.nokia.com/networks/solutions/impact-iot-platform/, and Nokia's responsible disclosure notice at https://www.nokia.com/notices/responsible-disclosure/. Practitioners should consult these for patch information and mitigation guidance.

Details

CWE(s)
CWE-89

Affected Products

nokia
impact
≤ 19.11.2.10-20210118042150283

CVEs Like This One

CVE-2021-35485Same product: Nokia Impact
CVE-2023-31044Same vendor: Nokia
CVE-2025-24818Same vendor: Nokia
CVE-2021-35486Same vendor: Nokia
CVE-2025-24817Same vendor: Nokia
CVE-2025-27020Same vendor: Nokia
CVE-2026-2094Shared CWE-89
CVE-2026-3180Shared CWE-89
CVE-2025-1872Shared CWE-89
CVE-2026-23492Shared CWE-89

References