CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47506 – SolarWinds Platform Directory Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2022-47506
SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication may be required to exploit this vulnerability, depending on the product configuration. The specific flaw exists within the sshd_SftpRename function. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47506 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-36964 – SolarWinds Platform Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2022-36964
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands. La plataforma SolarWinds era susceptible a la deserialización de datos no confiables. Esta vulnerabilidad permite que un adversario remoto con acceso válido a SolarWinds Web Console ejecute comandos arbitrarios. This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-4_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36964 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-36960 – SolarWinds Platform Improper Input Validation
https://notcve.org/view.php?id=CVE-2022-36960
SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges. La plataforma SolarWinds fue susceptible a una validación de entrada incorrecta. Esta vulnerabilidad permite que un adversario remoto con acceso válido a SolarWinds Web Console escale los privilegios del usuario. This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-4_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36960 • CWE-20: Improper Input Validation CWE-287: Improper Authentication •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2022-36962 – SolarWinds Platform Command Injection
https://notcve.org/view.php?id=CVE-2022-36962
SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands. La plataforma SolarWinds era susceptible a la Inyección de Comandos. Esta vulnerabilidad permite que un adversario remoto con control total sobre la base de datos de SolarWinds ejecute comandos arbitrarios. This vulnerability allows remote attackers to execute code on affected installations of SolarWinds Network Performance Monitor. • https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-4_release_notes.htm https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-36962 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.2EPSS: 3%CPEs: 9EXPL: 0CVE-2022-38108 – SolarWinds Platform Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2022-38108
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands. SolarWinds Platform era susceptible a la Deserialización de Datos No Confiables. Esta vulnerabilidad permite a un adversario remoto con acceso a la cuenta de nivel de administrador de Orion a la consola web de SolarWinds ejecutar comandos arbitrarios This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. The specific flaw exists within the MessageToBytes function. • http://packetstormsecurity.com/files/171567/SolarWinds-Information-Service-SWIS-Remote-Command-Execution.html https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108 https://www.zerodayinitiative.com/advisories/ZDI-CAN-17531 • CWE-502: Deserialization of Untrusted Data •