cbcvebase.

Solarwinds Orion Platform vulnerabilities

51 known vulnerabilities affecting solarwinds/orion_platform.

Total CVEs
51
CISA KEV
1
actively exploited
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL6HIGH29MEDIUM16

Vulnerabilities

Page 1 of 3
CVE-2020-10148P1CRITICALCVSS 9.8KEVPoCv2019.4v2020.2+4 more2020-12-29
CVE-2020-10148 [CRITICAL] CWE-288 CVE-2020-10148: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacke The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no
nvd
CVE-2019-9546P2CRITICALCVSS 9.8Exploitedfixed in 2018.4v2018.42019-03-01
CVE-2019-9546 [CRITICAL] CWE-427 CVE-2019-9546: SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ se SolarWinds Orion Platform before 2018.4 Hotfix 2 allows privilege escalation through the RabbitMQ service.
nvd
CVE-2022-38108P2HIGHCVSS 7.2PoCfixed in 2020.2.6v2020.2.6+3 more2022-10-20
CVE-2022-38108 [HIGH] CWE-502 CVE-2022-38108: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability all SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
nvd
CVE-2021-35218P2HIGHCVSS 8.8fixed in 2020.2.62021-09-01
CVE-2021-35218 [HIGH] CWE-502 CVE-2021-35218: Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code executio Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server
nvd
CVE-2022-36958P2HIGHCVSS 8.8fixed in 2020.2.6v2020.2.6+3 more2022-10-20
CVE-2022-36958 [HIGH] CWE-502 CVE-2022-36958: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability all SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
nvd
CVE-2021-35217P2HIGHCVSS 8.8≥ 2020.2.5 and previous versions, < 2020.2.62021-09-08
CVE-2021-35217 [HIGH] CWE-502 CVE-2021-35217: Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patc Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.
nvd
CVE-2021-35215P2HIGHCVSS 8.8≤ 2020.2.5≥ 2020.2.5 and previous versions, < 2020.2.62021-09-01
CVE-2021-35215 [HIGH] CWE-502 CVE-2021-35215: Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.
nvd
CVE-2022-36961P2HIGHCVSS 8.8≤ 2022.2.0≥ 2022.2.3 and previous versions, < 2022.2.32022-09-30
CVE-2022-36961 [HIGH] CWE-89 CVE-2022-36961: A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.
nvd
CVE-2020-27871P2HIGHCVSS 7.2v2020.2.12021-02-10
CVE-2020-27871 [HIGH] CWE-22 CVE-2020-27871: This vulnerability allows remote attackers to create arbitrary files on affected installations of So This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within VulnerabilitySettings.aspx. The issue results from the lack of pro
nvd
CVE-2021-25274P2CRITICALCVSS 9.8fixed in 2020.2.42021-02-03
CVE-2021-25274 [CRITICAL] CWE-502 CVE-2021-25274: The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queu The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes th
nvd
CVE-2022-38111P2HIGHCVSS 7.2v2022.4.12023-02-15
CVE-2022-38111 [HIGH] CWE-502 CVE-2022-38111: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability all SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
nvd
CVE-2023-23836P2HIGHCVSS 7.2v2022.4.12023-02-15
CVE-2023-23836 [HIGH] CWE-502 CVE-2023-23836: SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to the SolarWinds Web Console to execute arbitrary commands.
nvd
CVE-2022-36964P2HIGHCVSS 8.8fixed in 2020.2.6v2020.2.6+3 more2022-11-29
CVE-2022-36964 [HIGH] CWE-502 CVE-2022-36964: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability all SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
nvd
CVE-2021-27258P2CRITICALCVSS 9.8v2020.22021-04-14
CVE-2021-27258 [CRITICAL] CWE-284 CVE-2021-27258: This vulnerability allows remote attackers to execute escalate privileges on affected installations This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SaveUserSetting endpoint. The issue results from improper restriction of this endpoint to unprivileged users. An at
nvd
CVE-2022-47504P3HIGHCVSS 7.2v2022.4.12023-02-15
CVE-2022-47504 [HIGH] CWE-502 CVE-2022-47504: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability all SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
nvd
CVE-2022-47503P3HIGHCVSS 7.2v2022.4.12023-02-15
CVE-2022-47503 [HIGH] CWE-502 CVE-2022-47503: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability all SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
nvd
CVE-2021-35213P3HIGHCVSS 8.8≤ 2020.2.5≥ 2020.2.5 and previous versions, < 2020.2.52021-08-31
CVE-2021-35213 [HIGH] CWE-284 CVE-2021-35213: An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability. Authentication is required to exploit the vulnerability.
nvd
CVE-2022-36957P3HIGHCVSS 7.2fixed in 2020.2.6v2020.2.6+3 more2022-10-20
CVE-2022-36957 [HIGH] CWE-502 CVE-2022-36957: SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability all SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
nvd
CVE-2022-36962P3HIGHCVSS 7.2fixed in 2020.2.6v2020.2.6+3 more2022-11-29
CVE-2022-36962 [HIGH] CWE-78 CVE-2022-36962: SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversa SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.
nvd
CVE-2022-36963P3HIGHCVSS 7.2fixed in 2023.22023-04-21
CVE-2022-36963 [HIGH] CWE-94 CVE-2022-36963: The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability a The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.
nvd
Solarwinds Orion Platform vulnerabilities | cvebase