Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-47506

Summary
Assigner-SolarWinds
Assigner Org ID-49f11609-934d-4621-84e6-e02e032104d6
Published At-15 Feb, 2023 | 00:00
Updated At-18 Mar, 2025 | 19:12
Rejected At-
Credits

SolarWinds Platform Directory Traversal Vulnerability

SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SolarWinds
Assigner Org ID:49f11609-934d-4621-84e6-e02e032104d6
Published At:15 Feb, 2023 | 00:00
Updated At:18 Mar, 2025 | 19:12
Rejected At:
â–¼CVE Numbering Authority (CNA)
SolarWinds Platform Directory Traversal Vulnerability

SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands.

Affected Products
Vendor
SolarWinds Worldwide, LLC.SolarWinds
Product
SolarWinds Platform
Default Status
unaffected
Versions
Affected
  • 2022.4.1 and prior versions 2022.4.1
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.1.

Configurations
Workarounds
Exploits
Credits
finder
SolarWinds would like to thank Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative for reporting on the issue in a responsible manner.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
N/A
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506
N/A
Hyperlink: https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
Resource: N/A
Hyperlink: https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506
Resource: N/A
â–¼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
x_transferred
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506
x_transferred
Hyperlink: https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
Resource:
x_transferred
Hyperlink: https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@solarwinds.com
Published At:15 Feb, 2023 | 19:15
Updated At:03 Aug, 2023 | 21:15

SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Secondary3.17.8HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CPE Matches
SolarWinds Worldwide, LLC.
solarwinds
>>orion_platform>>2022.4.1
cpe:2.3:a:solarwinds:orion_platform:2022.4.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-22Primarynvd@nist.gov
CWE-22Secondarypsirt@solarwinds.com
CWE ID: CWE-22
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-22
Type: Secondary
Source: psirt@solarwinds.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htmpsirt@solarwinds.com
Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506psirt@solarwinds.com
Vendor Advisory
Hyperlink: https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
Source: psirt@solarwinds.com
Resource:
Vendor Advisory
Hyperlink: https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506
Source: psirt@solarwinds.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

156Records found
CVE-2016-3643
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-5.18% / 90.16%
||
7 Day CHG~0.00%
Published-17 Jun, 2016 | 15:00
Updated-21 Apr, 2026 | 16:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.

SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat /etc/passwd."

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-virtualization_managern/aVirtualization Manager
CVE-2021-25275
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.11% / 28.33%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 16:49
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarWinds Orion Platform before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server backend, and stores database credentials to access this backend in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login details from that file, including the login name and its associated password. Then, the credentials can be used to get database owner access to the SWNetPerfMon.DB database. This gives access to the data collected by SolarWinds applications, and leads to admin access to the applications by inserting or changing authentication data stored in the Accounts table of the database.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-orion_platformn/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2025-26396
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.8||HIGH
EPSS-0.03% / 10.97%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 13:04
Updated-26 Feb, 2026 | 18:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Dameware Mini Remote Control Service Incorrect Permissions Local Privilege Escalation Vulnerability

The SolarWinds Dameware Mini Remote Control was determined to be affected by Incorrect Permissions Local Privilege Escalation Vulnerability. This vulnerability requires local access and a valid low privilege account to be susceptible to this vulnerability.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-Dameware Mini Remote Control Service
CWE ID-CWE-269
Improper Privilege Management
CVE-2025-26397
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.8||HIGH
EPSS-0.12% / 30.82%
||
7 Day CHG~0.00%
Published-24 Jul, 2025 | 07:57
Updated-12 Nov, 2025 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Observability Self-Hosted Deserialization of Untrusted Data Local Privilege Escalation Vulnerability

SolarWinds Observability Self-Hosted is susceptible to Deserialization of Untrusted Data Local Privilege Escalation vulnerability. An attacker with low privileges can escalate privileges to run malicious files copied to a permission-protected folder. This vulnerability requires authentication from a low-level account and local access to the host server.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-observability_self-hostedSolarWinds Observability Self-Hosted
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-45710
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.8||HIGH
EPSS-0.17% / 37.57%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 07:16
Updated-01 Mar, 2025 | 04:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

SolarWinds Platform is susceptible to an Uncontrolled Search Path Element Local Privilege Escalation vulnerability. This requires a low privilege account and local access to the affected node machine.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-solarwinds_platformSolarWinds Platformsolarwinds_platform
CWE ID-CWE-427
Uncontrolled Search Path Element
CVE-2021-35227
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-4.7||MEDIUM
EPSS-0.71% / 72.88%
||
7 Day CHG~0.00%
Published-21 Oct, 2021 | 17:41
Updated-16 Sep, 2024 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Web Configuration for RabbitMQ Management Plugin in SolarWinds ARM

The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-27240
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-0.64% / 71.08%
||
7 Day CHG~0.00%
Published-29 Mar, 2021 | 21:05
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Patch Manager 2020.2.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the DataGridService WCF service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of Administrator. Was ZDI-CAN-12009.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-patch_managerPatch Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-27277
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.21% / 84.87%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 17:50
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Orion Virtual Infrastructure Monitor 2020.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the OneTimeJobSchedulerEventsService WCF service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-11955.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Virtual Infrastructure Monitor
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-35181
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.8||HIGH
EPSS-0.11% / 28.64%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:24
Updated-13 Sep, 2024 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-35183
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.8||HIGH
EPSS-0.08% / 23.00%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:23
Updated-13 Sep, 2024 | 14:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability

The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2022-47505
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.8||HIGH
EPSS-0.28% / 51.92%
||
7 Day CHG~0.00%
Published-21 Apr, 2023 | 00:00
Updated-05 Feb, 2025 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Local Privilege Escalation Vulnerability

The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-269
Improper Privilege Management
CVE-2020-25620
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.34% / 57.47%
||
7 Day CHG~0.00%
Published-16 Dec, 2020 | 14:04
Updated-04 Aug, 2024 | 15:40
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SolarWinds N-Central 12.3.0.670. Hard-coded Credentials exist by default for local user accounts named support@n-able.com and nableadmin@n-able.com. These allow logins to the N-Central Administrative Console (NAC) and/or the regular web interface.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-n-centraln/a
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2001-0054
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-5.08% / 90.02%
||
7 Day CHG~0.00%
Published-07 May, 2001 | 04:00
Updated-16 Apr, 2026 | 00:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-28992
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.6||HIGH
EPSS-0.35% / 58.06%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 14:23
Updated-22 Aug, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-28995
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.6||HIGH
EPSS-94.40% / 99.98%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 09:01
Updated-26 Feb, 2026 | 15:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-08-07||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
SolarWinds Serv-U L Directory Transversal Vulnerability

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-serv-uSolarWinds Serv-U serv-uServ-U
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-28993
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.6||HIGH
EPSS-0.64% / 71.04%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 14:24
Updated-22 Aug, 2024 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-28073
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.4||HIGH
EPSS-0.30% / 53.97%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 16:58
Updated-10 Feb, 2025 | 22:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Serv-U Directory Traversal Remote Code Execution Vulnerability

SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-serv-uServUserv-u
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2011-4800
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9||HIGH
EPSS-1.25% / 79.83%
||
7 Day CHG~0.00%
Published-14 Dec, 2011 | 00:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in Serv-U FTP Server before 11.1.0.5 allows remote authenticated users to read and write arbitrary files, and list and create arbitrary directories, via a "..:/" (dot dot colon forward slash) in the (1) list, (2) put, or (3) get commands.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23474
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.6||HIGH
EPSS-0.06% / 20.36%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 14:22
Updated-10 Sep, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) deleteTransferFile Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23468
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.6||HIGH
EPSS-0.64% / 71.04%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 14:23
Updated-22 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23477
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.9||HIGH
EPSS-1.41% / 80.95%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 20:35
Updated-01 Aug, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23475
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-0.24% / 48.11%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 14:26
Updated-10 Sep, 2024 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23479
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-1.30% / 80.20%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 20:34
Updated-06 Aug, 2024 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23466
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-3.18% / 87.29%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 14:28
Updated-22 Aug, 2024 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2025-40549
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.1||CRITICAL
EPSS-0.10% / 27.39%
||
7 Day CHG~0.00%
Published-18 Nov, 2025 | 08:41
Updated-26 Feb, 2026 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Serv-U Path Restriction Bypass Vulnerability

A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-serv-uServ-U
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23467
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-3.39% / 87.72%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 14:28
Updated-22 Aug, 2024 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23472
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-7.46% / 91.98%
||
7 Day CHG~0.00%
Published-17 Jul, 2024 | 14:25
Updated-22 Aug, 2024 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability

SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2009-4815
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-0.32% / 55.52%
||
7 Day CHG~0.00%
Published-27 Apr, 2010 | 15:00
Updated-29 Apr, 2026 | 01:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in Serv-U before 9.2.0.1 allows remote authenticated users to read arbitrary files via unspecified vectors.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2009-1031
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-16.09% / 94.96%
||
7 Day CHG~0.00%
Published-20 Mar, 2009 | 00:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the FTP server in Rhino Software Serv-U File Server 7.0.0.1 through 7.4.0.1 allows remote attackers to create arbitrary directories via a \.. (backslash dot dot) in an MKD request.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2008-4501
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9||HIGH
EPSS-4.60% / 89.51%
||
7 Day CHG~0.00%
Published-08 Oct, 2008 | 23:00
Updated-23 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the FTP server in Serv-U 7.0.0.1 through 7.3, including 7.2.0.1, allows remote authenticated users to overwrite or create arbitrary files via a ..\ (dot dot backslash) in the RNTO command.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-45709
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-5.3||MEDIUM
EPSS-0.66% / 71.51%
||
7 Day CHG~0.00%
Published-10 Dec, 2024 | 08:20
Updated-25 Feb, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Web Help Desk Local File Read Vulnerability

SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-web_help_deskWeb Help Desk
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-35250
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.5||HIGH
EPSS-80.97% / 99.18%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 19:47
Updated-17 Sep, 2024 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory Transversal Vulnerability in Serv-U 15.3

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-serv-uServ-U
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-35230
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-6.7||MEDIUM
EPSS-0.40% / 61.58%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 11:19
Updated-16 Sep, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unquoted Path Vulnerability (SMB Login) in Kiwi CatTools

As a result of an unquoted service path vulnerability present in the Kiwi CatTools Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-kiwi_cattoolsKiwi CatTools
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-40055
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-3.55% / 88.01%
||
7 Day CHG~0.00%
Published-09 Nov, 2023 | 15:06
Updated-03 Sep, 2024 | 18:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Network Configuration Manager Directory Traversal Remote Code Execution Vulnerability

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33227

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-network_configuration_managerNetwork Configuration Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-40054
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-1.39% / 80.82%
||
7 Day CHG~0.00%
Published-09 Nov, 2023 | 15:05
Updated-04 Sep, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Network Configuration Manager Directory Traversal Remote Code Execution Vulnerability

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-network_configuration_managerNetwork Configuration Managernetwork_configuration_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-35187
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-2.02% / 84.19%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:24
Updated-13 Sep, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-35185
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 35.66%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:24
Updated-15 Oct, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager OpenFile Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-33227
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-3.55% / 88.01%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 15:31
Updated-05 Sep, 2024 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory Traversal Remote Code Execution Vulnerability

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability allows a low level user to perform the actions with SYSTEM privileges.

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-network_configuration_managerNetwork Configuration Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-33226
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-3.55% / 88.01%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 15:31
Updated-05 Sep, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory Traversal Remote Code Execution Vulnerability

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges.

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-network_configuration_managerNetwork Configuration Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-23838
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-6.5||MEDIUM
EPSS-0.85% / 75.39%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory traversal and file enumeration vulnerability: Database Performance Analyzer (DPA) 2023.1

Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.Microsoft Corporation
Product-database_performance_analyzerwindowsDatabase Performance Analyzer
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-23842
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.29% / 52.82%
||
7 Day CHG~0.00%
Published-26 Jul, 2023 | 14:53
Updated-23 Oct, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Network Configuration Manager Directory Traversal Vulnerability

The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-network_configuration_monitorNetwork Configuration Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-27994
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.89% / 83.64%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 15:51
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-un/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-27870
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-9.31% / 92.95%
||
7 Day CHG~0.00%
Published-10 Feb, 2021 | 22:15
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1. Authentication is required to exploit this vulnerability. The specific flaw exists within ExportToPDF.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11917.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platform
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-27871
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.2||HIGH
EPSS-87.41% / 99.48%
||
7 Day CHG~0.00%
Published-10 Feb, 2021 | 22:15
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within VulnerabilitySettings.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-11902.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platform
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23476
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-1.94% / 83.86%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 20:35
Updated-27 Aug, 2024 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-25617
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-8.8||HIGH
EPSS-10.97% / 93.61%
||
7 Day CHG~0.00%
Published-16 Dec, 2020 | 13:52
Updated-04 Aug, 2024 | 15:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An issue was discovered in SolarWinds N-Central 12.3.0.670. The AdvancedScripts HTTP endpoint allows Relative Path Traversal by an authenticated user of the N-Central Administration Console (NAC), leading to execution of OS commands as root.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-n-centraln/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-45711
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.5||HIGH
EPSS-10.69% / 93.50%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 07:27
Updated-17 Oct, 2024 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Serv-U FTP Service Directory Traversal Remote Code Execution Vulnerability

SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are abused. Authentication is required for this vulnerability

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-serv-uServ-Userv-u
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-49215
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-0.04% / 12.00%
||
7 Day CHG~0.00%
Published-21 Oct, 2024 | 00:00
Updated-09 Dec, 2024 | 23:15
Rejected-09 Dec, 2024 | 00:00
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-49294. Reason: This candidate is a reservation duplicate of CVE-2023-49294. Notes: All CVE users should reference CVE-2023-49294 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.

Action-Not Available
Vendor-Asterisk
Product-certified_asteriskasterisk
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-34656
Matching Score-4
Assigner-Samsung Mobile
ShareView Details
Matching Score-4
Assigner-Samsung Mobile
CVSS Score-7.3||HIGH
EPSS-0.11% / 29.89%
||
7 Day CHG~0.00%
Published-04 Sep, 2024 | 05:32
Updated-06 Sep, 2024 | 15:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Path traversal in Samsung Notes prior to version 4.4.21.62 allows local attackers to execute arbitrary code.

Action-Not Available
Vendor-SamsungSamsung Electronics
Product-notesSamsung Notesnotes
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-36035
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-7.7||HIGH
EPSS-0.10% / 27.93%
||
7 Day CHG~0.00%
Published-31 Aug, 2022 | 14:55
Updated-23 Apr, 2025 | 17:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flux CLI Workload Injection

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy. Flux CLI allows users to deploy Flux components into a Kubernetes cluster via command-line. The vulnerability allows other applications to replace the Flux deployment information with arbitrary content which is deployed into the target Kubernetes cluster instead. The vulnerability is due to the improper handling of user-supplied input, which results in a path traversal that can be controlled by the attacker. Users sharing the same shell between other applications and the Flux CLI commands could be affected by this vulnerability. In some scenarios no errors may be presented, which may cause end users not to realize that something is amiss. A safe workaround is to execute Flux CLI in ephemeral and isolated shell environments, which can ensure no persistent values exist from previous processes. However, upgrading to the latest version of the CLI is still the recommended mitigation strategy.

Action-Not Available
Vendor-fluxcdfluxcd
Product-flux2flux2
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found