Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2020-10148

Summary
Assigner-certcc
Assigner Org ID-37e5125f-f79b-445b-8fad-9564f167944b
Published At-29 Dec, 2020 | 21:55
Updated At-30 Jul, 2025 | 01:45
Rejected At-
Credits

SolarWinds Orion Authentication Bypass Vulnerability

SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Known Exploited Vulnerabilities (KEV)
cisa.gov
Vendor:
SolarWinds Worldwide, LLC.SolarWinds
Product:Orion
Added At:03 Nov, 2021
Due At:03 May, 2022

SolarWinds Orion Authentication Bypass Vulnerability

SolarWinds Orion API contains an authentication bypass vulnerability that could allow a remote attacker to execute API commands.

Used in Ransomware

:

Unknown

CWE

:
CWE-288

Required Action:

Apply updates per vendor instructions.

Additional Notes:

https://nvd.nist.gov/vuln/detail/CVE-2020-10148
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:certcc
Assigner Org ID:37e5125f-f79b-445b-8fad-9564f167944b
Published At:29 Dec, 2020 | 21:55
Updated At:30 Jul, 2025 | 01:45
Rejected At:
▼CVE Numbering Authority (CNA)
SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

Affected Products
Vendor
SolarWinds Worldwide, LLC.SolarWinds
Product
Orion Platform
Versions
Affected
  • 2019.4 HF 5
  • 2020.2 without hotfix
  • 2020.2 HF 1
Problem Types
TypeCWE IDDescription
CWECWE-288CWE-288 Authentication Bypass Using an Alternate Path or Channel
Type: CWE
CWE ID: CWE-288
Description: CWE-288 Authentication Bypass Using an Alternate Path or Channel
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Users should update to the relevant versions of the SolarWinds Orion Platform: 2019.4 HF 6 (released December 14, 2020) 2020.2.1 HF 2 (released December 15, 2020) 2019.2 SUPERNOVA Patch (released December 23, 2020) 2018.4 SUPERNOVA Patch (released December 23, 2020) 2018.2 SUPERNOVA Patch (released December 23, 2020)

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.solarwinds.com/securityadvisory
x_refsource_CONFIRM
https://kb.cert.org/vuls/id/843464
third-party-advisory
x_refsource_CERT-VN
Hyperlink: https://www.solarwinds.com/securityadvisory
Resource:
x_refsource_CONFIRM
Hyperlink: https://kb.cert.org/vuls/id/843464
Resource:
third-party-advisory
x_refsource_CERT-VN
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.kb.cert.org/vuls/id/843464
N/A
https://www.solarwinds.com/securityadvisory
x_refsource_CONFIRM
x_transferred
https://kb.cert.org/vuls/id/843464
third-party-advisory
x_refsource_CERT-VN
x_transferred
Hyperlink: https://www.kb.cert.org/vuls/id/843464
Resource: N/A
Hyperlink: https://www.solarwinds.com/securityadvisory
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://kb.cert.org/vuls/id/843464
Resource:
third-party-advisory
x_refsource_CERT-VN
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Vendor
SolarWinds Worldwide, LLC.solarwinds
Product
orion_platform
CPEs
  • cpe:2.3:a:solarwinds:orion_platform:2019.4:hotfix5:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 2019.4
Vendor
SolarWinds Worldwide, LLC.solarwinds
Product
orion_platform
CPEs
  • cpe:2.3:a:solarwinds:orion_platform:2020.2.1:-:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 2020.2.1
Vendor
SolarWinds Worldwide, LLC.solarwinds
Product
orion_platform
CPEs
  • cpe:2.3:a:solarwinds:orion_platform:2020.2:hotfix1:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 2020.2
Metrics
VersionBase scoreBase severityVector
3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
kev
dateAdded:
2021-11-03
reference:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
CVE-2020-10148 added to CISA KEV2021-11-03 00:00:00
Event: CVE-2020-10148 added to CISA KEV
Date: 2021-11-03 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cret@cert.org
Published At:29 Dec, 2020 | 22:15
Updated At:17 Mar, 2025 | 19:36

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
2021-11-032022-05-03SolarWinds Orion Authentication Bypass VulnerabilityApply updates per vendor instructions.
Date Added: 2021-11-03
Due Date: 2022-05-03
Vulnerability Name: SolarWinds Orion Authentication Bypass Vulnerability
Required Action: Apply updates per vendor instructions.
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
SolarWinds Worldwide, LLC.
solarwinds
>>orion_platform>>2019.4
cpe:2.3:a:solarwinds:orion_platform:2019.4:hotfix5:*:*:*:*:*:*
SolarWinds Worldwide, LLC.
solarwinds
>>orion_platform>>2020.2
cpe:2.3:a:solarwinds:orion_platform:2020.2:-:*:*:*:*:*:*
SolarWinds Worldwide, LLC.
solarwinds
>>orion_platform>>2020.2.1
cpe:2.3:a:solarwinds:orion_platform:2020.2.1:hotfix1:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-288Secondarycret@cert.org
CWE-306Primarynvd@nist.gov
CWE ID: CWE-288
Type: Secondary
Source: cret@cert.org
CWE ID: CWE-306
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://kb.cert.org/vuls/id/843464cret@cert.org
Third Party Advisory
US Government Resource
https://www.solarwinds.com/securityadvisorycret@cert.org
Vendor Advisory
https://kb.cert.org/vuls/id/843464af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
https://www.kb.cert.org/vuls/id/843464af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
https://www.solarwinds.com/securityadvisoryaf854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Hyperlink: https://kb.cert.org/vuls/id/843464
Source: cret@cert.org
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://www.solarwinds.com/securityadvisory
Source: cret@cert.org
Resource:
Vendor Advisory
Hyperlink: https://kb.cert.org/vuls/id/843464
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://www.kb.cert.org/vuls/id/843464
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://www.solarwinds.com/securityadvisory
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found