- 160/2024
- Critical
SolarWinds has released security updates to address several vulnerabilities across multiple SolarWinds products.
The addressed vulnerabilities could allow the attacker to bypass security restrictions, overwrite arbitrary files, perform cross-site scripting attacks, or execute arbitrary code and gain access to the affected system.
Sample of the addressed vulnerabilities:
1. SolarWinds Access Rights Manager Code Execution (CVE-2024-28075):
- CVSS: 9
- Attack Vector: Adjacent Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
2. SolarWinds Access Rights Manager Security Bypass (CVE-2024-23473):
- CVSS: 8.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
Affected products:
- SolarWinds Platform 2024.1 and prior versions.
- Serv-U 15.4.2 and previous versions.
- SolarWinds Access Rights Manager (ARM) 2023.2.2.30 and prior versions.
- SolarWinds ARM 2023.2.3 and prior versions.
- SolarWinds Platform 2024.1 and previous versions.
Vulnerabilities
- CVE-2024-28072
- CVE-2024-28073
- CVE-2024-28075
- CVE-2024-28076
- CVE-2024-29000
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.