Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-23474

Summary
Assigner-SolarWinds
Assigner Org ID-49f11609-934d-4621-84e6-e02e032104d6
Published At-17 Jul, 2024 | 14:22
Updated At-01 Aug, 2024 | 23:06
Rejected At-
Credits

SolarWinds Access Rights Manager (ARM) deleteTransferFile Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SolarWinds
Assigner Org ID:49f11609-934d-4621-84e6-e02e032104d6
Published At:17 Jul, 2024 | 14:22
Updated At:01 Aug, 2024 | 23:06
Rejected At:
▼CVE Numbering Authority (CNA)
SolarWinds Access Rights Manager (ARM) deleteTransferFile Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.

Affected Products
Vendor
SolarWinds Worldwide, LLC.SolarWinds
Product
Access Rights Manager
Default Status
affected
Versions
Affected
  • From previous versions through 2023.2.4 (2024.3)
Problem Types
TypeCWE IDDescription
CWECWE-22CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Type: CWE
CWE ID: CWE-22
Description: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Metrics
VersionBase scoreBase severityVector
3.17.6HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-37CAPEC-37 Retrieve Embedded Sensitive Data
CAPEC-165CAPEC-165 File Manipulation
CAPEC ID: CAPEC-37
Description: CAPEC-37 Retrieve Embedded Sensitive Data
CAPEC ID: CAPEC-165
Description: CAPEC-165 File Manipulation
Solutions

All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2024.3

Configurations
Workarounds
Exploits
Credits
finder
Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
N/A
Hyperlink: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
x_transferred
Hyperlink: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@solarwinds.com
Published At:17 Jul, 2024 | 15:15
Updated At:10 Sep, 2024 | 18:39

The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.19.8CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Secondary3.17.6HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Type: Primary
Version: 3.1
Base score: 9.8
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.6
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
CPE Matches
SolarWinds Worldwide, LLC.
solarwinds
>>access_rights_manager>>Versions up to 2023.2.4(inclusive)
cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-22Primarypsirt@solarwinds.com
CWE ID: CWE-22
Type: Primary
Source: psirt@solarwinds.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htmpsirt@solarwinds.com
Release Notes
Hyperlink: https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
Source: psirt@solarwinds.com
Resource:
Release Notes

Change History

0
Information is not available yet

Similar CVEs

562Records found
CVE-2024-23466
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-3.39% / 86.90%
||
7 Day CHG+2.67%
Published-17 Jul, 2024 | 14:28
Updated-22 Aug, 2024 | 15:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23467
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-2.82% / 85.58%
||
7 Day CHG+2.69%
Published-17 Jul, 2024 | 14:28
Updated-22 Aug, 2024 | 16:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23468
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.6||HIGH
EPSS-0.43% / 61.77%
||
7 Day CHG+0.31%
Published-17 Jul, 2024 | 14:23
Updated-22 Aug, 2024 | 16:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23475
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-0.14% / 34.35%
||
7 Day CHG+0.03%
Published-17 Jul, 2024 | 14:26
Updated-10 Sep, 2024 | 18:43
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-35187
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-2.02% / 83.01%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:24
Updated-13 Sep, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-28993
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.6||HIGH
EPSS-0.43% / 61.77%
||
7 Day CHG+0.32%
Published-17 Jul, 2024 | 14:24
Updated-22 Aug, 2024 | 15:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-28992
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.6||HIGH
EPSS-0.24% / 46.77%
||
7 Day CHG+0.14%
Published-17 Jul, 2024 | 14:23
Updated-22 Aug, 2024 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal and Information Disclosure Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-15542
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.45% / 88.62%
||
7 Day CHG~0.00%
Published-05 Jul, 2020 | 21:04
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarWinds Serv-U FTP server before 15.2.1 mishandles the CHMOD command.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_ftp_servern/a
CVE-2024-23473
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-8.6||HIGH
EPSS-0.10% / 28.18%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 12:43
Updated-10 Feb, 2025 | 22:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Hard-Coded Credentials Authentication Bypass Vulnerability

The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-23469
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-16.30% / 94.58%
||
7 Day CHG+11.39%
Published-17 Jul, 2024 | 14:26
Updated-10 Sep, 2024 | 17:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Exposed Dangerous Method Remote Code Execution Vulnerability

SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-20
Improper Input Validation
CVE-2024-23470
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-1.51% / 80.43%
||
7 Day CHG+0.82%
Published-17 Jul, 2024 | 14:30
Updated-11 Sep, 2024 | 14:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) UserScriptHumster Exposed Dangerous Method Remote Command Execution Vulnerability

The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-287
Improper Authentication
CVE-2024-23471
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-1.27% / 78.64%
||
7 Day CHG+0.87%
Published-17 Jul, 2024 | 14:31
Updated-10 Sep, 2024 | 18:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) CreateFile Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-287
Improper Authentication
CVE-2024-23465
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-8.3||HIGH
EPSS-0.04% / 9.68%
||
7 Day CHG-0.20%
Published-17 Jul, 2024 | 14:27
Updated-10 Sep, 2024 | 18:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) ChangeHumster Exposed Dangerous Method Authentication Bypass Vulnerability

The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment.  

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-287
Improper Authentication
CVE-2024-0692
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-83.31% / 99.22%
||
7 Day CHG~0.00%
Published-01 Mar, 2024 | 08:55
Updated-16 Apr, 2025 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Security Event Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-security_event_managerSecurity Event Manager security_event_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-31474
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-9.8||CRITICAL
EPSS-53.63% / 97.90%
||
7 Day CHG~0.00%
Published-21 May, 2021 | 14:40
Updated-03 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-network_performance_monitorNetwork Performance Monitor
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-27258
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-9.8||CRITICAL
EPSS-11.23% / 93.23%
||
7 Day CHG~0.00%
Published-14 Apr, 2021 | 15:45
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SaveUserSetting endpoint. The issue results from improper restriction of this endpoint to unprivileged users. An attacker can leverage this vulnerability to escalate privileges their privileges from Guest to Administrator. Was ZDI-CAN-11903.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platform
CWE ID-CWE-284
Improper Access Control
CVE-2021-25274
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-64.37% / 98.37%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 16:49
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-orion_platformn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-35184
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-10.60% / 92.98%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:22
Updated-12 Sep, 2024 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-35182
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-4.64% / 88.87%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:23
Updated-12 Sep, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2020-35481
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.46% / 88.63%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 15:47
Updated-04 Aug, 2024 | 17:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarWinds Serv-U before 15.2.2 allows Unauthenticated Macro Injection.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-un/a
CVE-2023-40061
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-0.08% / 25.10%
||
7 Day CHG-0.02%
Published-01 Nov, 2023 | 15:30
Updated-15 Oct, 2024 | 17:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Job Execution Mechanism Vulnerability

 Insecure job execution mechanism vulnerability. This vulnerability can lead to other attacks as a result.

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-solarwinds_platformSolarWinds Platform
CWE ID-CWE-20
Improper Input Validation
CVE-2020-15541
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-21.21% / 95.45%
||
7 Day CHG~0.00%
Published-05 Jul, 2020 | 21:04
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarWinds Serv-U FTP server before 15.2.1 allows remote command execution.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_ftp_servern/a
CVE-2020-15543
Matching Score-8
Assigner-MITRE Corporation
ShareView Details
Matching Score-8
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-4.45% / 88.62%
||
7 Day CHG~0.00%
Published-05 Jul, 2020 | 21:04
Updated-04 Aug, 2024 | 13:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarWinds Serv-U FTP server before 15.2.1 does not validate an argument path.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_ftp_servern/a
CWE ID-CWE-20
Improper Input Validation
CVE-2020-10148
Matching Score-8
Assigner-CERT/CC
ShareView Details
Matching Score-8
Assigner-CERT/CC
CVSS Score-9.8||CRITICAL
EPSS-94.34% / 99.95%
||
7 Day CHG~0.00%
Published-29 Dec, 2020 | 21:55
Updated-30 Jul, 2025 | 01:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2022-05-03||Apply updates per vendor instructions.
SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platformorion_platformOrion
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2019-3980
Matching Score-8
Assigner-Tenable Network Security, Inc.
ShareView Details
Matching Score-8
Assigner-Tenable Network Security, Inc.
CVSS Score-9.8||CRITICAL
EPSS-40.91% / 97.28%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 19:40
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Solarwinds Dameware Mini Remote Client agent v12.1.0.89 supports smart card authentication which can allow a user to upload an executable to be executed on the DWRCS.exe host. An unauthenticated, remote attacker can request smart card login and upload and execute an arbitrary executable run under the Local System account.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-dameware_mini_remote_controlSolarWinds Dameware Remote Mini Remote Client Agent Service
CWE ID-CWE-346
Origin Validation Error
CVE-2024-28990
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-6.3||MEDIUM
EPSS-0.08% / 23.75%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 13:16
Updated-16 Sep, 2024 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Hardcoded Credentials Authentication Bypass Vulnerability

SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-798
Use of Hard-coded Credentials
CVE-2024-52606
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-3.5||LOW
EPSS-0.09% / 26.71%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 07:17
Updated-25 Feb, 2025 | 17:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Server-Side Request Forgery Vulnerability

SolarWinds Platform is affected by server-side request forgery vulnerability. Proper input sanitation was not applied allowing for the possibility of a malicious web request.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-solarwinds_platformSolarWinds
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2024-28986
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-9.8||CRITICAL
EPSS-29.91% / 96.48%
||
7 Day CHG-4.40%
Published-13 Aug, 2024 | 22:06
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-09-05||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
SolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.   However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-web_help_deskWeb Help DeskwebhelpdeskWeb Help Desk
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-28074
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-0.10% / 28.93%
||
7 Day CHG-0.91%
Published-17 Jul, 2024 | 14:29
Updated-10 Sep, 2024 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Internal Deserialization Remote Code Execution Vulnerability

It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2009-4815
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-4||MEDIUM
EPSS-0.43% / 61.86%
||
7 Day CHG~0.00%
Published-27 Apr, 2010 | 15:00
Updated-11 Apr, 2025 | 00:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in Serv-U before 9.2.0.1 allows remote authenticated users to read arbitrary files via unspecified vectors.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23472
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-6.69% / 90.86%
||
7 Day CHG+6.46%
Published-17 Jul, 2024 | 14:25
Updated-22 Aug, 2024 | 15:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability

SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23477
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.9||HIGH
EPSS-1.41% / 79.68%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 20:35
Updated-01 Aug, 2024 | 23:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23479
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-1.30% / 78.88%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 20:34
Updated-06 Aug, 2024 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-23476
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-1.94% / 82.65%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 20:35
Updated-27 Aug, 2024 | 18:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2009-1031
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-7.8||HIGH
EPSS-7.07% / 91.13%
||
7 Day CHG~0.00%
Published-20 Mar, 2009 | 00:00
Updated-07 Aug, 2024 | 04:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the FTP server in Rhino Software Serv-U File Server 7.0.0.1 through 7.4.0.1 allows remote attackers to create arbitrary directories via a \.. (backslash dot dot) in an MKD request.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-35230
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-6.7||MEDIUM
EPSS-0.32% / 54.67%
||
7 Day CHG~0.00%
Published-22 Oct, 2021 | 11:19
Updated-16 Sep, 2024 | 18:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unquoted Path Vulnerability (SMB Login) in Kiwi CatTools

As a result of an unquoted service path vulnerability present in the Kiwi CatTools Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-kiwi_cattoolsKiwi CatTools
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-35250
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.5||HIGH
EPSS-91.92% / 99.69%
||
7 Day CHG~0.00%
Published-25 Apr, 2022 | 19:47
Updated-17 Sep, 2024 | 00:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory Transversal Vulnerability in Serv-U 15.3

A researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. This may allow access to files relating to the Serv-U installation and server files. This issue has been resolved in Serv-U 15.3 Hotfix 1.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-serv-uServ-U
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2008-4501
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9||HIGH
EPSS-3.49% / 87.12%
||
7 Day CHG~0.00%
Published-08 Oct, 2008 | 23:00
Updated-07 Aug, 2024 | 10:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in the FTP server in Serv-U 7.0.0.1 through 7.3, including 7.2.0.1, allows remote authenticated users to overwrite or create arbitrary files via a ..\ (dot dot backslash) in the RNTO command.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2022-47506
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.8||HIGH
EPSS-0.12% / 31.58%
||
7 Day CHG~0.00%
Published-15 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Directory Traversal Vulnerability

SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2001-0054
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5||MEDIUM
EPSS-5.08% / 89.40%
||
7 Day CHG~0.00%
Published-07 May, 2001 | 04:00
Updated-03 Apr, 2025 | 01:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in FTP Serv-U before 2.5i allows remote attackers to escape the FTP root and read arbitrary files by appending a string such as "/..%20." to a CD command, a variant of a .. (dot dot) attack.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-u_file_servern/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-35185
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 36.30%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:24
Updated-15 Oct, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager OpenFile Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-33226
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-3.55% / 87.23%
||
7 Day CHG~0.00%
Published-01 Nov, 2023 | 15:31
Updated-05 Sep, 2024 | 19:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory Traversal Remote Code Execution Vulnerability

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges.

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-network_configuration_managerNetwork Configuration Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-45709
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-5.3||MEDIUM
EPSS-0.13% / 33.87%
||
7 Day CHG+0.04%
Published-10 Dec, 2024 | 08:20
Updated-25 Feb, 2025 | 17:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Web Help Desk Local File Read Vulnerability

SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-web_help_deskWeb Help Desk
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2024-45711
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.5||HIGH
EPSS-3.09% / 86.26%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 07:27
Updated-17 Oct, 2024 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Serv-U FTP Service Directory Traversal Remote Code Execution Vulnerability

SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are abused. Authentication is required for this vulnerability

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-serv-uServ-Userv-u
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-23838
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-6.5||MEDIUM
EPSS-0.78% / 72.79%
||
7 Day CHG~0.00%
Published-25 Apr, 2023 | 00:00
Updated-04 Feb, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Directory traversal and file enumeration vulnerability: Database Performance Analyzer (DPA) 2023.1

Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.Microsoft Corporation
Product-database_performance_analyzerwindowsDatabase Performance Analyzer
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-23842
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.30% / 52.66%
||
7 Day CHG~0.00%
Published-26 Jul, 2023 | 14:53
Updated-23 Oct, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Network Configuration Manager Directory Traversal Vulnerability

The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-network_configuration_monitorNetwork Configuration Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-27994
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-6.5||MEDIUM
EPSS-1.89% / 82.41%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 15:51
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

SolarWinds Serv-U before 15.2.2 allows Authenticated Directory Traversal.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-serv-un/a
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-27870
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.5||HIGH
EPSS-3.37% / 86.86%
||
7 Day CHG~0.00%
Published-10 Feb, 2021 | 22:15
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to disclose sensitive information on affected installations of SolarWinds Orion Platform 2020.2.1. Authentication is required to exploit this vulnerability. The specific flaw exists within ExportToPDF.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-11917.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platform
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2020-27871
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.2||HIGH
EPSS-66.02% / 98.45%
||
7 Day CHG~0.00%
Published-10 Feb, 2021 | 22:15
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within VulnerabilitySettings.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-11902.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platform
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-40054
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-1.39% / 79.56%
||
7 Day CHG~0.00%
Published-09 Nov, 2023 | 15:05
Updated-04 Sep, 2024 | 13:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Network Configuration Manager Directory Traversal Remote Code Execution Vulnerability

The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-network_configuration_managerNetwork Configuration Managernetwork_configuration_manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 11
  • 12
  • Next
Details not found