Vulnerabilites related to solarwinds - access_rights_manager
cve-2023-35181
Vulnerability from cvelistv5
Published
2023-10-19 14:24
Modified
2024-09-13 15:37
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:23:59.583Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35181", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-35181", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-13T15:36:27.776469Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-13T15:37:44.724Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "previous versions", versionType: "2023.2", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], datePublic: "2023-10-18T07:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.", }, ], impacts: [ { capecId: "CAPEC-233", descriptions: [ { lang: "en", value: "CAPEC-233 Privilege Escalation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-276", description: "CWE-276 Incorrect Default Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T14:24:54.662Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35181", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-35181", datePublished: "2023-10-19T14:24:54.662Z", dateReserved: "2023-06-14T20:03:23.107Z", dateUpdated: "2024-09-13T15:37:44.724Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28074
Vulnerability from cvelistv5
Published
2024-07-17 14:29
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-28074", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-19T03:55:34.124Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T00:48:48.255Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.", }, ], value: "It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:29:39.778Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Internal Deserialization Remote Code Execution Vulnerability ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-28074", datePublished: "2024-07-17T14:29:39.778Z", dateReserved: "2024-03-01T08:53:44.513Z", dateUpdated: "2024-08-02T00:48:48.255Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-40058
Vulnerability from cvelistv5
Published
2023-12-21 16:14
Modified
2024-08-27 15:01
Severity ?
EPSS score ?
Summary
Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:24:54.655Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-40058", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-27T14:50:37.212340Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-27T15:01:09.799Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.1", status: "affected", version: "previous versions", versionType: "2023.2.1", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. <br>\n\n\n\n\n\n", }, ], value: "Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. \n\n\n\n\n\n\n", }, ], impacts: [ { capecId: "CAPEC-1", descriptions: [ { lang: "en", value: "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-200", description: "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-01-04T13:33:57.792Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.2<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.2\n", }, ], source: { discovery: "UNKNOWN", }, title: "Sensitive Information Disclosure Vulnerability ", workarounds: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<a target=\"_blank\" rel=\"nofollow\" href=\"https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWinds-ARM\">https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWi...</a><br>", }, ], value: " https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWi... https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWinds-ARM \n", }, ], x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-40058", datePublished: "2023-12-21T16:14:48.077Z", dateReserved: "2023-08-08T23:22:08.618Z", dateUpdated: "2024-08-27T15:01:09.799Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-35184
Vulnerability from cvelistv5
Published
2023-10-19 14:22
Modified
2024-09-12 20:08
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:23:59.615Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-35184", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-12T19:52:35.297900Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T20:08:03.662Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "previous versions", versionType: "2023.2", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], datePublic: "2023-10-18T07:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T14:22:26.928Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-35184", datePublished: "2023-10-19T14:22:26.928Z", dateReserved: "2023-06-14T20:03:23.107Z", dateUpdated: "2024-09-12T20:08:03.662Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28993
Vulnerability from cvelistv5
Published
2024-07-17 14:24
Modified
2024-08-02 01:03
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-28993", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-17T18:11:57.351085Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-17T18:12:08.211Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:03:51.579Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, ], impacts: [ { capecId: "CAPEC-37", descriptions: [ { lang: "en", value: "CAPEC-37 Retrieve Embedded Sensitive Data", }, ], }, { capecId: "CAPEC-165", descriptions: [ { lang: "en", value: "CAPEC-165 File Manipulation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:24:42.745Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-28993", datePublished: "2024-07-17T14:24:42.745Z", dateReserved: "2024-03-13T20:27:09.783Z", dateUpdated: "2024-08-02T01:03:51.579Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23478
Vulnerability from cvelistv5
Published
2024-02-15 20:35
Modified
2024-08-12 20:38
Severity ?
EPSS score ?
Summary
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.841Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThan: "2023.2.2", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23478", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-02-22T05:00:44.996879Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-12T20:38:34.859Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.2 ", status: "affected", version: "previous versions", versionType: "2023.2.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.<br>", }, ], value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.\n", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-15T20:48:13.041Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23478", datePublished: "2024-02-15T20:35:46.029Z", dateReserved: "2024-01-17T16:10:36.177Z", dateUpdated: "2024-08-12T20:38:34.859Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23473
Vulnerability from cvelistv5
Published
2024-05-09 12:43
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23473", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-05-09T15:57:07.286791Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-30T14:53:20.981Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.896Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23473", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.3", status: "affected", version: "previous versions", versionType: "2023.2.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], datePublic: "2024-05-09T08:48:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. <br><br>We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. ", }, ], value: "The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. \n\nWe thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. ", }, ], impacts: [ { capecId: "CAPEC-1", descriptions: [ { lang: "en", value: "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-798", description: "CWE-798 Use of Hard-coded Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-09T12:43:51.111Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23473", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.4<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.4\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Hard-Coded Credentials Authentication Bypass Vulnerability ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23473", datePublished: "2024-05-09T12:43:51.111Z", dateReserved: "2024-01-17T16:07:35.068Z", dateUpdated: "2024-08-01T23:06:24.896Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23467
Vulnerability from cvelistv5
Published
2024-07-17 14:28
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, { status: "unaffected", version: "2024.3", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23467", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-19T03:55:33.417Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.783Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:28:57.869Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23467", datePublished: "2024-07-17T14:28:57.869Z", dateReserved: "2024-01-17T16:07:35.066Z", dateUpdated: "2024-08-01T23:06:24.783Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23479
Vulnerability from cvelistv5
Published
2024-02-15 20:34
Modified
2024-08-06 15:38
Severity ?
EPSS score ?
Summary
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.898Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23479", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2024-23479", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-02-22T05:00:46.030582Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-06T15:38:13.693Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.2 ", status: "affected", version: "previous versions", versionType: "2023.2.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.<br>", }, ], value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.\n", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-15T20:48:01.016Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23479", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23479", datePublished: "2024-02-15T20:34:39.088Z", dateReserved: "2024-01-17T16:10:36.177Z", dateUpdated: "2024-08-06T15:38:13.693Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23469
Vulnerability from cvelistv5
Published
2024-07-17 14:26
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "affected", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23469", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-19T03:55:29.839Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.579Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. ", }, ], value: "SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. ", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-20", description: "CWE-20 Improper Input Validation", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:26:47.787Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Exposed Dangerous Method Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23469", datePublished: "2024-07-17T14:26:47.787Z", dateReserved: "2024-01-17T16:07:35.067Z", dateUpdated: "2024-08-01T23:06:24.579Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-40057
Vulnerability from cvelistv5
Published
2024-02-15 20:36
Modified
2024-08-12 20:38
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T18:24:54.690Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40057", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThan: "2023.2.2", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-40057", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-06-05T14:05:24.884476Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-12T20:38:17.160Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.2 ", status: "affected", version: "previous versions", versionType: "2023.2.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.<br>", }, ], value: "The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.\n", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-15T20:49:04.504Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40057", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-40057", datePublished: "2024-02-15T20:36:12.759Z", dateReserved: "2023-08-08T23:22:08.618Z", dateUpdated: "2024-08-12T20:38:17.160Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28991
Vulnerability from cvelistv5
Published
2024-09-12 13:17
Modified
2024-09-17 03:55
Severity ?
EPSS score ?
Summary
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2024.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-28991", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-16T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-17T03:55:15.762Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2024.3", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.", }, ], value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.", }, ], impacts: [ { capecId: "CAPEC-586", descriptions: [ { lang: "en", value: "CAPEC-586 Object Injection", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-12T13:17:30.721Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28991", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager (ARM) 2024.3.1 SR<br>", }, ], value: "All SolarWinds customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager (ARM) 2024.3.1 SR", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-28991", datePublished: "2024-09-12T13:17:30.721Z", dateReserved: "2024-03-13T20:27:09.783Z", dateUpdated: "2024-09-17T03:55:15.762Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28075
Vulnerability from cvelistv5
Published
2024-05-09 12:42
Modified
2024-08-02 00:48
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:-:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThan: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-28075", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-06-05T14:13:32.125480Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-06-05T16:14:26.541Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T00:48:48.249Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28075", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/secure-your-arm-deployment.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.3", status: "affected", version: "previous versions", versionType: "2023.2.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], datePublic: "2024-05-09T09:02:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. <br><br>We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. ", }, ], value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. \n\nWe thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. ", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-05-09T12:42:44.975Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28075", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/secure-your-arm-deployment.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.4<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.4\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-28075", datePublished: "2024-05-09T12:42:44.975Z", dateReserved: "2024-03-01T08:53:44.513Z", dateUpdated: "2024-08-02T00:48:48.249Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23475
Vulnerability from cvelistv5
Published
2024-07-17 14:26
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23475", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-22T15:26:11.105895Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-22T15:28:43.606Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.672Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, ], impacts: [ { capecId: "CAPEC-37", descriptions: [ { lang: "en", value: "CAPEC-37 Retrieve Embedded Sensitive Data", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:26:02.809Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23475", datePublished: "2024-07-17T14:26:02.809Z", dateReserved: "2024-01-17T16:10:36.175Z", dateUpdated: "2024-08-01T23:06:24.672Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28990
Vulnerability from cvelistv5
Published
2024-09-12 13:16
Modified
2024-09-12 19:10
Severity ?
EPSS score ?
Summary
SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-28990", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-09-12T19:10:49.936310Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T19:10:59.173Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2024.3", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console.<br><br>We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.<br><br>", }, ], value: "SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console.\n\nWe thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.", }, ], impacts: [ { capecId: "CAPEC-21", descriptions: [ { lang: "en", value: "CAPEC-21 Exploitation of Trusted Credentials", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-798", description: "CWE-798 Use of Hard-coded Credentials", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-09-12T13:16:35.586Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28990", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SolarWinds recommends that customers upgrade to SolarWinds Access Rights Manager (ARM) 2024.3.1 SR as soon as it becomes available.<br>", }, ], value: "SolarWinds recommends that customers upgrade to SolarWinds Access Rights Manager (ARM) 2024.3.1 SR as soon as it becomes available.", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Hardcoded Credentials Authentication Bypass Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-28990", datePublished: "2024-09-12T13:16:35.586Z", dateReserved: "2024-03-13T20:27:09.783Z", dateUpdated: "2024-09-12T19:10:59.173Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23466
Vulnerability from cvelistv5
Published
2024-07-17 14:28
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "affected", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23466", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-20T03:55:29.892Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.579Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. ", }, ], value: "SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. ", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:28:17.041Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23466", datePublished: "2024-07-17T14:28:17.041Z", dateReserved: "2024-01-17T16:07:35.065Z", dateUpdated: "2024-08-01T23:06:24.579Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-35183
Vulnerability from cvelistv5
Published
2023-10-19 14:23
Modified
2024-09-13 14:32
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:23:59.478Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35183", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-35183", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-13T14:31:39.184442Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-13T14:32:25.149Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "previous versions", versionType: "2023.2", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], datePublic: "2023-10-18T07:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.", }, ], impacts: [ { capecId: "CAPEC-233", descriptions: [ { lang: "en", value: "CAPEC-233 Privilege Escalation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-276", description: "CWE-276 Incorrect Default Permissions", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T14:23:59.019Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35183", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-35183", datePublished: "2023-10-19T14:23:59.019Z", dateReserved: "2023-06-14T20:03:23.107Z", dateUpdated: "2024-09-13T14:32:25.149Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-35185
Vulnerability from cvelistv5
Published
2023-10-19 14:24
Modified
2024-10-15 18:32
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:23:59.460Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35185", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-35185", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-10-15T17:15:33.444276Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-10-15T18:32:08.169Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "previous versions", versionType: "2023.2", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative", }, ], datePublic: "2023-10-18T07:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges. ", }, ], value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges. ", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-12-28T17:05:58.115Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35185", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager OpenFile Directory Traversal Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-35185", datePublished: "2023-10-19T14:24:15.553Z", dateReserved: "2023-06-14T20:03:23.107Z", dateUpdated: "2024-10-15T18:32:08.169Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-35187
Vulnerability from cvelistv5
Published
2023-10-19 14:24
Modified
2024-09-13 15:35
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:23:59.366Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35187", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-35187", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-13T15:35:05.309089Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-13T15:35:58.950Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "previous versions", versionType: "2023.2", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative", }, ], datePublic: "2023-10-18T07:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T14:24:33.720Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35187", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-35187", datePublished: "2023-10-19T14:24:33.720Z", dateReserved: "2023-06-14T20:03:23.108Z", dateUpdated: "2024-09-13T15:35:58.950Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23471
Vulnerability from cvelistv5
Published
2024-07-17 14:31
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:-:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, { lessThan: "2024.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23471", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-19T03:55:34.803Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.643Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. ", }, ], value: "The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. ", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:31:28.669Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n\n<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n\n\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) CreateFile Directory Traversal Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23471", datePublished: "2024-07-17T14:31:28.669Z", dateReserved: "2024-01-17T16:07:35.067Z", dateUpdated: "2024-08-01T23:06:24.643Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23476
Vulnerability from cvelistv5
Published
2024-02-15 20:35
Modified
2024-08-27 18:57
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.674Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23476", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.2", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23476", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-06-05T14:05:30.423986Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-27T18:57:23.187Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.2 ", status: "affected", version: "previous versions", versionType: "2023.2.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.<br>", }, ], value: "The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.\n", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-15T20:48:39.529Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23476", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23476", datePublished: "2024-02-15T20:35:52.612Z", dateReserved: "2024-01-17T16:10:36.176Z", dateUpdated: "2024-08-27T18:57:23.187Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-35227
Vulnerability from cvelistv5
Published
2021-10-21 17:41
Modified
2024-09-16 23:15
Severity ?
EPSS score ?
Summary
The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: 2020.2.6 and previous versions < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T00:33:51.271Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35227", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2021-4_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { platforms: [ "Windows", ], product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2021.4", status: "affected", version: "2020.2.6 and previous versions", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "SolarWinds would like to thank Chris Townsend for reporting on the issue in a responsible manner.", }, ], datePublic: "2021-09-19T00:00:00", descriptions: [ { lang: "en", value: "The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.", }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-21T17:41:34", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35227", }, { tags: [ "x_refsource_MISC", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2021-4_release_notes.htm", }, ], solutions: [ { lang: "en", value: "SolarWinds recommends installing 2021.4 for the ARM as soon as it becomes available.", }, ], source: { defect: [ "CVE-2021-35227", ], discovery: "EXTERNAL", }, title: "Insecure Web Configuration for RabbitMQ Management Plugin in SolarWinds ARM", workarounds: [ { lang: "en", value: "Customers are advised to update to ARM 2021.4 once it becomes available", }, ], x_generator: { engine: "Vulnogram 0.0.9", }, x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "psirt@solarwinds.com", DATE_PUBLIC: "2021-09-19T22:29:00.000Z", ID: "CVE-2021-35227", STATE: "PUBLIC", TITLE: "Insecure Web Configuration for RabbitMQ Management Plugin in SolarWinds ARM", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Access Rights Manager", version: { version_data: [ { platform: "Windows", version_affected: "<=", version_name: "2020.2.6 and previous versions", version_value: "2021.4", }, ], }, }, ], }, vendor_name: "SolarWinds", }, ], }, }, credit: [ { lang: "eng", value: "SolarWinds would like to thank Chris Townsend for reporting on the issue in a responsible manner.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.", }, ], }, generator: { engine: "Vulnogram 0.0.9", }, impact: { cvss: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79", }, ], }, ], }, references: { reference_data: [ { name: "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35227", refsource: "MISC", url: "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35227", }, { name: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2021-4_release_notes.htm", refsource: "MISC", url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2021-4_release_notes.htm", }, ], }, solution: [ { lang: "en", value: "SolarWinds recommends installing 2021.4 for the ARM as soon as it becomes available.", }, ], source: { defect: [ "CVE-2021-35227", ], discovery: "EXTERNAL", }, work_around: [ { lang: "en", value: "Customers are advised to update to ARM 2021.4 once it becomes available", }, ], }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2021-35227", datePublished: "2021-10-21T17:41:34.442595Z", dateReserved: "2021-06-22T00:00:00", dateUpdated: "2024-09-16T23:15:48.252Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23477
Vulnerability from cvelistv5
Published
2024-02-15 20:35
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.2", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23477", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-02-22T05:00:44.054316Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-26T14:51:30.634Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.637Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23477", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.2 ", status: "affected", version: "previous versions", versionType: "2023.2.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.<br>", }, ], value: "The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.\n", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.9, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-02-15T20:48:50.612Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23477", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23477", datePublished: "2024-02-15T20:35:56.952Z", dateReserved: "2024-01-17T16:10:36.176Z", dateUpdated: "2024-08-01T23:06:24.637Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23468
Vulnerability from cvelistv5
Published
2024-07-17 14:23
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-23468", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-17T15:28:05.034830Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-17T15:28:16.116Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.667Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, ], impacts: [ { capecId: "CAPEC-37", descriptions: [ { lang: "en", value: "CAPEC-37 Retrieve Embedded Sensitive Data", }, ], }, { capecId: "CAPEC-165", descriptions: [ { lang: "en", value: "CAPEC-165 File Manipulation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:23:05.079Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n\n<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n\n\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23468", datePublished: "2024-07-17T14:23:05.079Z", dateReserved: "2024-01-17T16:07:35.067Z", dateUpdated: "2024-08-01T23:06:24.667Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-35186
Vulnerability from cvelistv5
Published
2023-10-19 14:21
Modified
2024-09-12 19:29
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:23:59.626Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35186", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-35186", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-12T19:23:42.919006Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T19:29:05.305Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "previous versions", versionType: "2023.2", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], datePublic: "2023-10-18T07:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T14:21:57.282Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35186", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-35186", datePublished: "2023-10-19T14:21:57.282Z", dateReserved: "2023-06-14T20:03:23.107Z", dateUpdated: "2024-09-12T19:29:05.305Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-35180
Vulnerability from cvelistv5
Published
2023-10-19 14:23
Modified
2024-09-12 20:41
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:23:59.684Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-35180", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-12T20:37:34.450358Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T20:41:27.923Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "previous versions", versionType: "2023.2", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], datePublic: "2023-10-18T07:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T14:23:48.383Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability ", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-35180", datePublished: "2023-10-19T14:23:48.383Z", dateReserved: "2023-06-14T20:03:23.107Z", dateUpdated: "2024-09-12T20:41:27.923Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23474
Vulnerability from cvelistv5
Published
2024-07-17 14:22
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-23474", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-17T14:48:00.572322Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-17T14:48:06.084Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.699Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.", }, ], value: "The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.", }, ], impacts: [ { capecId: "CAPEC-37", descriptions: [ { lang: "en", value: "CAPEC-37 Retrieve Embedded Sensitive Data", }, ], }, { capecId: "CAPEC-165", descriptions: [ { lang: "en", value: "CAPEC-165 File Manipulation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:22:19.833Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) deleteTransferFile Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23474", datePublished: "2024-07-17T14:22:19.833Z", dateReserved: "2024-01-17T16:07:35.068Z", dateUpdated: "2024-08-01T23:06:24.699Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23465
Vulnerability from cvelistv5
Published
2024-07-17 14:27
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "affected", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThan: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23465", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-19T03:55:31.743657Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-19T15:52:58.074Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.653Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment. ", }, ], value: "The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment. ", }, ], impacts: [ { capecId: "CAPEC-1", descriptions: [ { lang: "en", value: "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:27:31.092Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) ChangeHumster Exposed Dangerous Method Authentication Bypass Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23465", datePublished: "2024-07-17T14:27:31.092Z", dateReserved: "2024-01-17T16:07:35.064Z", dateUpdated: "2024-08-01T23:06:24.653Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-35182
Vulnerability from cvelistv5
Published
2023-10-19 14:23
Modified
2024-09-12 20:35
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T16:23:59.638Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182", }, { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], title: "CVE Program Container", }, { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2023-35182", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-09-12T20:33:28.888660Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-09-12T20:35:49.631Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.0.73", status: "affected", version: "previous versions", versionType: "2023.2", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam) working with Trend Micro Zero Day Initiative", }, ], datePublic: "2023-10-18T07:00:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-502", description: "CWE-502 Deserialization of Untrusted Data", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T14:23:31.797Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182", }, { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.1\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2023-35182", datePublished: "2023-10-19T14:23:31.797Z", dateReserved: "2023-06-14T20:03:23.107Z", dateUpdated: "2024-09-12T20:35:49.631Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23472
Vulnerability from cvelistv5
Published
2024-07-17 14:25
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2024.3", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23472", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-18T00:00:00+00:00", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-19T03:55:30.537Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.628Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.", }, ], value: "SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.", }, ], impacts: [ { capecId: "CAPEC-37", descriptions: [ { lang: "en", value: "CAPEC-37 Retrieve Embedded Sensitive Data", }, ], }, { capecId: "CAPEC-165", descriptions: [ { lang: "en", value: "CAPEC-165 File Manipulation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-22", description: "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:25:20.607Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23472", datePublished: "2024-07-17T14:25:20.607Z", dateReserved: "2024-01-17T16:07:35.068Z", dateUpdated: "2024-08-01T23:06:24.628Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-28992
Vulnerability from cvelistv5
Published
2024-07-17 14:23
Modified
2024-08-02 01:03
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-28992", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-23T15:41:48.761731Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-24T18:47:35.536Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T01:03:51.617Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, ], value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, ], impacts: [ { capecId: "CAPEC-37", descriptions: [ { lang: "en", value: "CAPEC-37 Retrieve Embedded Sensitive Data", }, ], }, { capecId: "CAPEC-165", descriptions: [ { lang: "en", value: "CAPEC-165 File Manipulation", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:23:50.488Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-28992", datePublished: "2024-07-17T14:23:50.488Z", dateReserved: "2024-03-13T20:27:09.783Z", dateUpdated: "2024-08-02T01:03:51.617Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-23470
Vulnerability from cvelistv5
Published
2024-07-17 14:30
Modified
2024-08-01 23:06
Severity ?
EPSS score ?
Summary
The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SolarWinds | Access Rights Manager |
Version: previous versions |
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", ], defaultStatus: "affected", product: "access_rights_manager", vendor: "solarwinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-23470", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-07-19T03:55:35.930561Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-19T14:48:23.851Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-01T23:06:24.673Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "affected", product: "Access Rights Manager", vendor: "SolarWinds", versions: [ { lessThanOrEqual: "2023.2.4", status: "affected", version: "previous versions", versionType: "2024.3", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Anonymous working with Trend Micro Zero Day Initiative", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables. ", }, ], value: "The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables. ", }, ], impacts: [ { capecId: "CAPEC-253", descriptions: [ { lang: "en", value: "CAPEC-253 Remote Code Inclusion", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-287", description: "CWE-287 Improper Authentication", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-17T14:30:37.081Z", orgId: "49f11609-934d-4621-84e6-e02e032104d6", shortName: "SolarWinds", }, references: [ { url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3<br>", }, ], value: "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3\n", }, ], source: { discovery: "UNKNOWN", }, title: "SolarWinds Access Rights Manager (ARM) UserScriptHumster Exposed Dangerous Method Remote Command Execution Vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "49f11609-934d-4621-84e6-e02e032104d6", assignerShortName: "SolarWinds", cveId: "CVE-2024-23470", datePublished: "2024-07-17T14:30:37.081Z", dateReserved: "2024-01-17T16:07:35.067Z", dateUpdated: "2024-08-01T23:06:24.673Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Vulnerability from fkie_nvd
Published
2023-12-21 17:15
Modified
2024-11-21 08:18
Severity ?
6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "6285B061-B997-46F8-817E-8485E00E4FD9", versionEndIncluding: "2023.2.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. \n\n\n\n\n\n\n", }, { lang: "es", value: "Se agregaron datos confidenciales a nuestra base de conocimiento pública que, si se explotan, podrían usarse para acceder a componentes de Access Rights Manager (ARM) si el actor de la amenaza se encuentra en el mismo entorno.", }, ], id: "CVE-2023-40058", lastModified: "2024-11-21T08:18:37.423", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "psirt@solarwinds.com", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Secondary", }, ], }, published: "2023-12-21T17:15:07.763", references: [ { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-200", }, ], source: "psirt@solarwinds.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-19 15:15
Modified
2024-11-21 08:08
Severity ?
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D2286244-6B0B-40D7-BC8B-8F843005B66B", versionEndIncluding: "2023.2.0.73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de ejecución remota de código. Esta vulnerabilidad permite a los usuarios autenticados abusar de la API ARM de SolarWinds.", }, ], id: "CVE-2023-35180", lastModified: "2024-11-21T08:08:06.487", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-19T15:15:08.823", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35180", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-09-12 14:16
Modified
2025-02-26 18:45
Severity ?
6.3 (Medium) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "B1FB1A00-C9FD-4DDF-B782-F2CD9EABE995", versionEndExcluding: "2024.3.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console.\n\nWe thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager (ARM) contenía una vulnerabilidad de omisión de autenticación de credenciales codificada. Si se explotara, esta vulnerabilidad permitiría el acceso a la consola de administración de RabbitMQ. Agradecemos a Trend Micro Zero Day Initiative (ZDI) por su colaboración continua en la coordinación con SolarWinds para la divulgación responsable de esta y otras posibles vulnerabilidades.", }, ], id: "CVE-2024-28990", lastModified: "2025-02-26T18:45:23.190", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "LOW", baseScore: 6.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.4, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-09-12T14:16:06.273", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28990", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-798", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:40
Severity ?
7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
8.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
8.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de divulgación de información y Directory Traversal. Esta vulnerabilidad permite que un usuario no autenticado realice una eliminación arbitraria de archivos y filtre información confidencial.", }, ], id: "CVE-2024-23468", lastModified: "2025-02-26T18:40:48.803", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 4.7, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:11.730", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-15 21:15
Modified
2024-11-21 08:57
Severity ?
7.9 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23477 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23477 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "2C08A49C-ABE0-488A-8F47-151E406D22D0", versionEndExcluding: "2023.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.\n", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager (ARM) era susceptible a una vulnerabilidad de Directory Traversal Remote Code Execution. Si se explota, esta vulnerabilidad permite a un usuario no autenticado lograr una ejecución remota de código.", }, ], id: "CVE-2024-23477", lastModified: "2024-11-21T08:57:47.693", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.9, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-02-15T21:15:09.603", references: [ { source: "psirt@solarwinds.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23477", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23477", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:42
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables. ", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de ejecución remota de código de autenticación previa. Si se explota, esta vulnerabilidad permite que un usuario no autenticado ejecute comandos y ejecutables.", }, ], id: "CVE-2024-23470", lastModified: "2025-02-26T18:42:36.893", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:12.167", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:40
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de divulgación de información y Directory Traversal. Esta vulnerabilidad permite que un usuario no autenticado realice la ejecución remota de código.", }, ], id: "CVE-2024-23467", lastModified: "2025-02-26T18:40:25.433", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:11.500", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-19 15:15
Modified
2024-11-21 08:08
Severity ?
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D2286244-6B0B-40D7-BC8B-8F843005B66B", versionEndIncluding: "2023.2.0.73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de ejecución remota de código. Esta vulnerabilidad puede ser aprovechada por usuarios no autenticados en SolarWinds ARM Server.", }, ], id: "CVE-2023-35182", lastModified: "2024-11-21T08:08:06.750", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-19T15:15:09.070", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35182", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-15 21:15
Modified
2024-11-21 08:57
Severity ?
Summary
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "2C08A49C-ABE0-488A-8F47-151E406D22D0", versionEndExcluding: "2023.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.\n", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager (ARM) era susceptible a una vulnerabilidad de Directory Traversal Remote Code Execution. Si se explota, esta vulnerabilidad permite a un usuario no autenticado lograr una ejecución remota de código.", }, ], id: "CVE-2024-23479", lastModified: "2024-11-21T08:57:47.987", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Primary", }, ], }, published: "2024-02-15T21:15:10.213", references: [ { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23479", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23479", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:43
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de divulgación de información y Directory Traversal. Esta vulnerabilidad permite que un usuario no autenticado realice una eliminación arbitraria de archivos y filtre información confidencial.", }, ], id: "CVE-2024-23475", lastModified: "2025-02-26T18:43:33.313", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:13.057", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:45
Severity ?
7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
8.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
8.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de divulgación de información y Directory Traversal. Esta vulnerabilidad permite que un usuario no autenticado realice una eliminación arbitraria de archivos y filtre información confidencial.", }, ], id: "CVE-2024-28992", lastModified: "2025-02-26T18:45:45.743", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 4.7, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:13.623", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "psirt@solarwinds.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-22", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:43
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.", }, { lang: "es", value: "SolarWinds Access Rights Manager (ARM) es susceptible a la vulnerabilidad de directory traversal. Esta vulnerabilidad permite a un usuario autenticado leer y eliminar archivos arbitrariamente en ARM.", }, ], id: "CVE-2024-23472", lastModified: "2025-02-26T18:43:12.880", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:12.627", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-15 21:15
Modified
2024-11-21 08:57
Severity ?
Summary
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "2C08A49C-ABE0-488A-8F47-151E406D22D0", versionEndExcluding: "2023.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.\n", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager (ARM) era susceptible a una vulnerabilidad de ejecución remota de código. Si se explota, esta vulnerabilidad permite que un usuario autenticado abuse de un servicio de SolarWinds, lo que resulta en la ejecución remota de código.", }, ], id: "CVE-2024-23478", lastModified: "2024-11-21T08:57:47.847", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Primary", }, ], }, published: "2024-02-15T21:15:09.867", references: [ { source: "psirt@solarwinds.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23478", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:40
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. ", }, { lang: "es", value: "SolarWinds Access Rights Manager (ARM) es susceptible a una vulnerabilidad de ejecución remota de código Directory Traversal. Si se explota, esta vulnerabilidad permite que un usuario no autenticado realice acciones con privilegios de SYSTEM.", }, ], id: "CVE-2024-23466", lastModified: "2025-02-26T18:40:14.357", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:11.270", references: [ { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:44
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.", }, { lang: "es", value: "Se descubrió que una vulnerabilidad anterior no se solucionó por completo con SolarWinds Access Rights Manager. Si bien se implementaron algunos controles, el investigador pudo evitarlos y utilizar un método diferente para explotar la vulnerabilidad.", }, ], id: "CVE-2024-28074", lastModified: "2025-02-26T18:44:42.420", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:13.417", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-19 15:15
Modified
2025-02-26 17:50
Severity ?
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D2286244-6B0B-40D7-BC8B-8F843005B66B", versionEndIncluding: "2023.2.0.73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges. ", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de Directory Traversal Remote Code utilizando privilegios de SYSTEM.", }, ], id: "CVE-2023-35185", lastModified: "2025-02-26T17:50:33.030", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 6.8, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "HIGH", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 0.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-19T15:15:09.330", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35185", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35185", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-19 15:15
Modified
2024-11-21 08:08
Severity ?
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D2286244-6B0B-40D7-BC8B-8F843005B66B", versionEndIncluding: "2023.2.0.73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de ejecución remota de código. Esta vulnerabilidad permite que un usuario no autenticado abuse de un servicio de SolarWinds, lo que resulta en la ejecución remota de código.", }, ], id: "CVE-2023-35184", lastModified: "2024-11-21T08:08:07.000", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-19T15:15:09.247", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-19 15:15
Modified
2024-11-21 08:08
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D2286244-6B0B-40D7-BC8B-8F843005B66B", versionEndIncluding: "2023.2.0.73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de escalada de privilegios. Esta vulnerabilidad permite a los usuarios abusar de permisos de carpeta incorrectos, lo que resulta en una escalada de privilegios.", }, ], id: "CVE-2023-35181", lastModified: "2024-11-21T08:08:06.627", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-19T15:15:08.983", references: [ { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35181", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35181", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-276", }, ], source: "psirt@solarwinds.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-276", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:39
Severity ?
8.3 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment. ", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de omisión de autenticación. Esta vulnerabilidad permite que un usuario no autenticado obtenga acceso de administrador de dominio dentro del entorno de Active Directory.", }, ], id: "CVE-2024-23465", lastModified: "2025-02-26T18:39:58.953", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.6, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:10.977", references: [ { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "psirt@solarwinds.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-287", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-15 21:15
Modified
2024-11-21 08:57
Severity ?
Summary
The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23476 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23476 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "2C08A49C-ABE0-488A-8F47-151E406D22D0", versionEndExcluding: "2023.2.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.\n", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager (ARM) era susceptible a una vulnerabilidad de Directory Traversal Remote Code Execution. Si se explota, esta vulnerabilidad permite que un usuario no autenticado logre la ejecución remota de código.", }, ], id: "CVE-2024-23476", lastModified: "2024-11-21T08:57:47.560", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Primary", }, ], }, published: "2024-02-15T21:15:09.353", references: [ { source: "psirt@solarwinds.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23476", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23476", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-09-12 14:16
Modified
2025-02-26 18:45
Severity ?
9.0 (Critical) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "B1FB1A00-C9FD-4DDF-B782-F2CD9EABE995", versionEndExcluding: "2024.3.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager (ARM) es susceptible a una vulnerabilidad de ejecución de código remoto. Si se explota, esta vulnerabilidad permitiría a un usuario autenticado abusar del servicio, lo que daría como resultado la ejecución de código remoto.", }, ], id: "CVE-2024-28991", lastModified: "2025-02-26T18:45:35.787", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-09-12T14:16:06.540", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28991", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Secondary", }, { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-19 15:15
Modified
2024-11-21 08:08
Severity ?
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D2286244-6B0B-40D7-BC8B-8F843005B66B", versionEndIncluding: "2023.2.0.73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de Directory Traversal Remote Code. Esta vulnerabilidad permite que un usuario no autenticado logre la ejecución remota de código.", }, ], id: "CVE-2023-35187", lastModified: "2024-11-21T08:08:07.393", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-19T15:15:09.500", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35187", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35187", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-19 15:15
Modified
2024-11-21 08:08
Severity ?
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D2286244-6B0B-40D7-BC8B-8F843005B66B", versionEndIncluding: "2023.2.0.73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de ejecución remota de código. Esta vulnerabilidad permite que un usuario autenticado abuse del servicio SolarWinds, lo que resulta en la ejecución remota de código.", }, ], id: "CVE-2023-35186", lastModified: "2024-11-21T08:08:07.257", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-10-19T15:15:09.410", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35186", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35186", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:45
Severity ?
7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
8.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
8.3 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm | Release Notes, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "291497A0-F464-40AD-8060-A985A2F8D2D0", versionEndExcluding: "2024.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de divulgación de información y Directory Traversal. Esta vulnerabilidad permite que un usuario no autenticado realice una eliminación arbitraria de archivos y filtre información confidencial.", }, ], id: "CVE-2024-28993", lastModified: "2025-02-26T18:45:53.687", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 4.7, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.3, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:13.860", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-05-14 14:59
Modified
2025-02-10 22:48
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "1054025C-3B73-4F7B-A445-43410249B1B7", versionEndExcluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. \n\nWe thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. ", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager contenía una vulnerabilidad de omisión de autenticación de credenciales codificada. Si se explota, esta vulnerabilidad permite el acceso a la consola de administración de RabbitMQ. Agradecemos a Trend Micro Zero Day Initiative (ZDI) por su asociación continua para coordinar con SolarWinds la divulgación responsable de esta y otras vulnerabilidades potenciales.", }, ], id: "CVE-2024-23473", lastModified: "2025-02-10T22:48:42.210", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 8.6, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 4.7, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.8, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-05-14T14:59:29.340", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23473", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-23473", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-798", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-21 18:15
Modified
2024-11-21 06:12
Severity ?
4.7 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "A3BE57D6-2B9B-4CA6-9AE2-E4B9FF45DD6C", versionEndIncluding: "2020.2.6", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.", }, { lang: "es", value: "La interfaz HTTP estaba habilitada para el plugin RabbitMQ en ARM versión 2020.2.6, y la capacidad de configurar HTTPS no estaba disponible", }, ], id: "CVE-2021-35227", lastModified: "2024-11-21T06:12:06.180", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.6, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:L/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1, impactScore: 3.6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-21T18:15:10.113", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2021-4_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35227", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2021-4_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35227", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "psirt@solarwinds.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-502", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:42
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. ", }, { lang: "es", value: "SolarWinds Access Rights Manager (ARM) es susceptible a una vulnerabilidad de ejecución remota de código. Si se explota, esta vulnerabilidad permite que un usuario no autenticado realice acciones con privilegios de SYSTEM.", }, ], id: "CVE-2024-23469", lastModified: "2025-02-26T18:42:25.920", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:11.947", references: [ { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-20", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:43
Severity ?
7.6 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de eliminación arbitraria de archivos y divulgación de información.", }, ], id: "CVE-2024-23474", lastModified: "2025-02-26T18:43:23.090", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 7.6, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 4.7, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:12.840", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-22", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-05-14 15:13
Modified
2025-02-26 18:44
Severity ?
9.0 (Critical) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "1054025C-3B73-4F7B-A445-43410249B1B7", versionEndExcluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. \n\nWe thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. ", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de ejecución remota de código. Esta vulnerabilidad permite que un usuario autenticado abuse del servicio SolarWinds, lo que resulta en la ejecución remota de código. Agradecemos a Trend Micro Zero Day Initiative (ZDI) por su asociación continua para coordinar con SolarWinds la divulgación responsable de esta y otras vulnerabilidades potenciales.", }, ], id: "CVE-2024-28075", lastModified: "2025-02-26T18:44:52.290", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-05-14T15:13:53.397", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Product", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/secure-your-arm-deployment.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28075", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Product", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/secure-your-arm-deployment.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28075", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-10-19 15:15
Modified
2024-11-21 08:08
Severity ?
Summary
The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "D2286244-6B0B-40D7-BC8B-8F843005B66B", versionEndIncluding: "2023.2.0.73", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.", }, { lang: "es", value: "SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de escalada de privilegios. Esta vulnerabilidad permite a los usuarios autenticados abusar de los recursos locales para escalar privilegios.", }, ], id: "CVE-2023-35183", lastModified: "2024-11-21T08:08:06.877", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "psirt@solarwinds.com", type: "Primary", }, ], }, published: "2023-10-19T15:15:09.157", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "psirt@solarwinds.com", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35183", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", "Vendor Advisory", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35183", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-276", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-02-15 21:15
Modified
2024-11-21 08:18
Severity ?
Summary
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| psirt@solarwinds.com | https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40057 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40057 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "C1D2B6ED-102D-4654-B95B-73E06277861B", versionEndExcluding: "2023.2.2", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.\n", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de ejecución remota de código. Si se explota, esta vulnerabilidad permite que un usuario autenticado abuse de un servicio de SolarWinds, lo que resulta en la ejecución remota de código.", }, ], id: "CVE-2023-40057", lastModified: "2024-11-21T08:18:37.287", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 6, source: "psirt@solarwinds.com", type: "Primary", }, ], }, published: "2024-02-15T21:15:08.247", references: [ { source: "psirt@solarwinds.com", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40057", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40057", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-502", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-17 15:15
Modified
2025-02-26 18:42
Severity ?
9.6 (Critical) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| solarwinds | access_rights_manager | * |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", matchCriteriaId: "DC3AC50B-3261-4394-80A9-15303C2C1D58", versionEndIncluding: "2023.2.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. ", }, { lang: "es", value: "Se descubrió que SolarWinds Access Rights Manager era susceptible a una vulnerabilidad de ejecución remota de código. Si se explota, esta vulnerabilidad permite que un usuario autenticado abuse de un servicio de SolarWinds, lo que resulta en la ejecución remota de código.", }, ], id: "CVE-2024-23471", lastModified: "2025-02-26T18:42:49.727", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "psirt@solarwinds.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-17T15:15:12.403", references: [ { source: "psirt@solarwinds.com", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm", }, ], sourceIdentifier: "psirt@solarwinds.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-287", }, ], source: "psirt@solarwinds.com", type: "Primary", }, ], }