SolarWinds Security Vulnerabilities

security-advisories-index-hero.png

You can Subscribe to this RSS Feed to be notified when we update this page (note: you will need to cut and paste the "Subscribe to this RSS feed" URL into an RSS Feed Reader, e.g., Outlook's RSS Subscriptions, to monitor updates).

ADVISORYCVE IDSEVERITYRELEASE DATELAST UPDATEFIXED VERSION
Sensitive Data Disclosure Vulnerability

CVE-2023-40058

7.6 High

12/20/202312/20/2023

Access Rights Manager (ARM) 2023.2.2

HTML Injection Vulnerability on Serv-U 15.4

CVE-2023-40053

4.6 Medium

12/05/202312/05/2023

Serv-U 15.4.1

SQL Injection Remote Code Execution Vulnerability

CVE-2023-40056

8.0 High

11/28/2023

SolarWinds Platform 2023.4.2

Directory Traversal Remote Code Execution Vulnerability

CVE-2023-40055

8.0 High

11/01/2023

Network Configuration Manager 2023.4.1

Directory Traversal Remote Code Execution Vulnerability

CVE-2023-40054

8.0 High

11/01/2023

Network Configuration Manager 2023.4.1

Directory Traversal Remote Code Execution Vulnerability

CVE-2023-33226

8.0 High

11/01/2023

Network Configuration Manager 2023.4

Sensitive Information Disclosure Vulnerability

CVE-2023-33228

4.5 Medium

11/01/2023

Network Configuration Manager 2023.4

Directory Traversal Remote Code Execution Vulnerability

CVE-2023-33227

8.0 High

11/01/202311/01/2023

Network Configuration Manager 2023.4

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability

CVE-2023-40062

8.0 High

11/01/2023

SolarWinds Platform 2023.4

Insecure Job Execution Mechanism Vulnerability

CVE-2023-40061

7.1 High

11/01/2023

SolarWinds Platform 2023.4

Apache ActiveMQ Vulnerability

CVE-2023-46604

10.0 Critical

10/27/202310/28/2023

SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability

CVE-2023-35181

7.8 High

10/18/202310/18/2023

SolarWinds ARM 2023.2.1

SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability

CVE-2023-35184

8.8 High

10/18/202310/18/2023

SolarWinds ARM 2023.2.1

SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

CVE-2023-35180

8.0 High

10/18/202310/18/2023

SolarWinds ARM 2023.2.1

SolarWinds Access Rights Manager Directory Traversal Remote Code Execution Vulnerability

CVE-2023-35187

8.8 High

10/18/202310/18/2023

SolarWinds ARM 2023.2.1

SolarWinds Access Rights Manager OpenFile Directory Traversal Remote Code Execution Vulnerability

CVE-2023-35185

8.8 High

10/18/202310/18/2023

SolarWinds ARM 2023.2.1

SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability

CVE-2023-35183

7.8 High

10/18/202310/18/2023

SolarWinds ARM 2023.2.1

SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability

CVE-2023-35182

8.8 High

10/18/202310/18/2023

SolarWinds ARM 2023.2.1

SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution Vulnerability

CVE-2023-35186

8.0 High

10/18/202310/18/2023

SolarWinds ARM 2023.2.1

Recommendations for SolarWinds products

CVE-2023-44487

7.5 High

10/10/202310/20/2023

MFA/2FA Bypass Vulnerability in Serv-U 15.4: Serv-U 15.4 and 15.4 HF1

CVE-2023-40060

6.6 Medium

08/30/202308/30/2023

Serv-U 15.4 HF2

MFA/2FA Bypass Vulnerability in Serv-U 15.4

CVE-2023-35179

6.6 Medium

08/04/202308/04/2023

Serv-U 15.4 HF1

SolarWinds Platform Exposed Dangerous Method Vulnerability

CVE-2023-23845

6.8 Medium

07/18/202307/18/2023

SolarWinds Platform 2023.3.1

SolarWinds Platform Exposed Dangerous Method Vulnerability

CVE-2023-23840

6.8 Medium

07/18/202307/18/2023

SolarWinds Platform 2023.3.1

SolarWinds Platform Access Control Bypass Vulnerability

CVE-2023-3622

4.6 Medium

07/18/202307/18/2023

SolarWinds Platform 2023.3

SolarWinds Platform Incorrect Behavior Order Vulnerability

CVE-2023-33224

6.8 Medium

07/18/202307/18/2023

SolarWinds Platform 2023.3

SolarWinds Platform Incorrect Input Neutralization Vulnerability

CVE-2023-33229

3.1 Low

07/18/202307/18/2023

SolarWinds Platform 2023.3

SolarWinds Platform Deserialization of Untrusted Data Vulnerability

CVE-2023-33225

6.8 Medium

07/18/202307/18/2023

SolarWinds Platform 2023.3

SolarWinds Platform Incomplete List of Disallowed Inputs Vulnerability

CVE-2023-23844

6.8 Medium

07/18/202307/18/2023

SolarWinds Platform 2023.3

SolarWinds Network Configuration Manager Directory Traversal Vulnerability

CVE-2023-23842

6.8 Medium

07/18/202307/18/2023

Network Configuration Manager 2023.3

SolarWinds Platform Incorrect Comparison Vulnerability

CVE-2023-23843

6.8 Medium

07/18/202307/18/2023

SolarWinds Platform 2023.3

Cross-Site Scripting Vulnerability

CVE-2023-33231

5.4 Medium

07/18/202307/18/2023

Database Performance Analyzer(DPA) 2023.2.100

SolarWinds Serv-U Exposure of Sensitive Information Vulnerability

CVE-2023-23841

4.8 Medium

05/17/202305/17/2023

Serv-U 15.4

SolarWinds Platform Exposure of Sensitive Information Vulnerability

CVE-2023-23839

6.8 Medium

04/20/202304/20/2023

SolarWinds Platform 2023.2

No Exception Handling Vulnerability

CVE-2023-23837

4.3 Medium

04/18/202304/18/2023

Database Performance Analyzer (DPA) 2023.2

Directory traversal and file enumeration vulnerability

CVE-2023-23838

4.0

Medium

04/18/202304/18/2023

Database Performance Analyzer (DPA) 2023.2

SolarWinds Platform Command Injection Vulnerability

CVE-2022-36963

8.8 High

04/18/202304/18/2023

SolarWinds Platform 2023.2

SolarWinds Platform Incorrect Input Neutralization Vulnerability

CVE-2022-47509

4.3 Medium

04/18/202304/18/2023

SolarWinds Platform 2023.2

SolarWinds Platform Local Privilege Escalation Vulnerability

CVE-2022-47505

7.8 High

04/18/202304/18/2023

SolarWinds Platform 2023.2

SolarWinds Platform Directory Traversal

CVE-2022-47506

8.8 High

02/15/202302/15/2023

SolarWinds Platform 2023.1

SolarWinds Platform Deserialization of Untrusted Data Vulnerability

CVE-2022-47503

8.8 High

02/15/202302/15/2023

SolarWinds Platform 2023.1

SolarWinds Platform Deserialization of Untrusted Data Vulnerability

CVE-2023-23836

8.8 High

02/15/202302/15/2023

SolarWinds Platform 2023.1

Disable NTLM: SAM 2022.4

CVE-2022-47508

7.5 High

02/15/202302/15/2023

Hybrid Cloud Observability 2023.1

SolarWinds Platform Deserialization of Untrusted Data Vulnerability

CVE-2022-47507

8.8 High

02/15/202302/15/2023

SolarWinds Platform 2023.1

SolarWinds Platform Deserialization of Untrusted Data Vulnerability

CVE-2022-47504

8.8 High

02/15/202302/15/2023

SolarWinds Platform 2023.1

SolarWinds Platform Deserialization of Untrusted Data Vulnerability

CVE-2022-38111

7.2 Medium

02/15/202302/15/2023

SolarWinds Platform 2023.1

Reflected Cross-Site Scripting Vulnerability

CVE-2022-38110

6.3 Medium

01/18/2023

Database Performance Analyzer 2023.1

Sensitive Information Disclosure Vulnerability

CVE-2022-38112

6.3 Medium

01/18/2023

Database Performance Analyzer 2023.1

Sensitive Data Disclosure Vulnerability

CVE-2022-47512

6.0 Medium

12/16/2022

Hybrid Cloud Observability / SolarWinds Platform 2022.4.1

Cross-Site Scripting Vulnerability in Serv-U Web Client

CVE-2022-38106

7.5 High

12/15/2022

Serv-U 15.3.2

Common Key Vulnerability in Serv-U FTP Server

CVE-2021-35252

6.5 Medium

12/15/2022

Serv-U 15.3.2

Insecure Methods Vulnerability

CVE-2022-38115

3.1 Low

11/22/202211/22/2022

SEM 2022.4

Client-Side Desync Vulnerability

CVE-2022-38114

3.7 Low

11/22/202211/22/2022

SEM 2022.4

Information Disclosure Vulnerability

CVE-2022-38113

3.1 Low

11/22/202211/22/2022

SEM 2022.4

SolarWinds Platform Command Injection

CVE-2022-36962

7.2 High

11/22/2022

SolarWinds Platform 2022.4

SolarWinds Platform Deserialization of Untrusted Data

CVE-2022-36964

8.8 High

11/22/2022

SolarWinds Platform 2022.4

Unprotected Transport of Credentials (HSTS) Vulnerability

CVE-2021-35246

5.3 Medium

11/22/2022

Engineer’s Toolset 2022.4 Desktop

SolarWinds Platform Improper Input Validation

CVE-2022-36960

8.8 High

11/22/2022

SolarWinds Platform 2022.4

OpenSSL buffer overflows in punycode decoding functions

CVE-2022-3602

CVE-2022-3786

7.5 High

7.5 High

11/01/202211/10/2022

OpenSSL 3.0.7

Apache Commons Text4Shell Vulnerability

CVE-2022-42889

9.8 Critical

10/26/202210/27/2022

SolarWinds Platform Deserialization of Untrusted Data

CVE-2022-38108

7.2 High

10/19/2022

SolarWinds Platform 2022.4 RC1

Insecure Direct Object Reference Vulnerability: SolarWinds Platform 2022.3

CVE-2022-36966

5.9 Medium

10/19/2022

SolarWinds Platform 2022.4 RC1

SolarWinds Platform Deserialization of Untrusted Data

CVE-2022-36958

8.8 High

10/19/2022

SolarWinds Platform 2022.4 RC1

SolarWinds Platform Deserialization of Untrusted Data

CVE-2022-36957

7.2 High

10/19/2022

SolarWinds Platform 2022.4 RC1

Sensitive Data Disclosure Vulnerability

CVE-2022-38107

4.3 Medium

10/18/202210/18/2022

SQL Sentry 2022.4

Stored and DOM XSS in QoE Applications: Orion Platform

CVE-2022-36965

7.1 High

09/28/2022

SolarWinds Platform 2022.3

SQL Injection in Orion Platform

CVE-2022-36961

8.0 High

09/28/2022

SolarWinds Platform 2022.3

Hashed Credential Exposure Vulnerability

CVE-2021-35226

2.7 Low

09/28/2022

Hybrid Cloud Observability 2022.3

Domain Admin Broken Access Control

CVE-2021-35249

4.3 Medium

05/17/2022

Serv-U 15.3.1

Cross-Site Scripting Vulnerability using SQL Query

CVE-2021-35229

6.8 High

04/19/2022

DPA 2022.2

0-day Vulnerabilities in Spring

CVE-2022-22963

CVE-2022-22965

N/A

03/31/202204/11/2022

00.000

Authenticated Remote Code Execution in Web Help Desk 12.7.8

CVE-2021-35254

8.2 High

03/24/202203/24/2022

Web Help Desk 12.7.8 HF1

Directory Transversal Vulnerability in Serv-U 15.3

CVE-2021-35250

7.5 High

03/02/202203/02/2022

Serv-U 15.3 HF 1

Sensitive Data Disclosure Vulnerability

CVE-2021-35251

5.3 Medium

02/15/202202/15/2022

WHD 12.7.8

Improper Input Validation Vulnerability in Serv-U

CVE-2021-35247

4.3 Medium

01/18/202201/18/2022

Serv-U 15.3

HTTP PUT & DELETE Methods Enabled

CVE-2021-35243

5.3 Medium

12/24/2021

Web Help Desk 12.7.7 HF1

Unrestricted access to Orion.UserSettings SWIS entity for low-privilege users

CVE-2021-35248

6.8 Medium

12/20/2021

Orion 2020.2.6 HF3

Unrestricted File Upload Causing Remote Code Execution: Orion 2020.2.6

CVE-2021-35244

6.8 High

12/20/2021

Orion 2020.2.6 HF3

Exposed Dangerous Functions - Privileged Escalation

CVE-2021-35234

8.0 High

12/20/2021

Orion Platform 2020.2.6 HF3

JMSAppender Associated with Log4j Vulnerability

CVE-2021-4104

8.1 High

12/17/202112/17/2021

JNDI Lookup Functionality Associated with Log4j Vulnerability

CVE-2021-45046

9.0 Critical

12/14/202112/23/2021

Apache Log4j Critical Vulnerability

CVE-2021-44228

10.0 Critical

12/12/202101/14/2022

A valid CSRF token is present in response to an invalid request

CVE-2021-35242

8.3 High

12/03/202112/03/2021

Serv-U 15.2.5

Broken Access Control Vulnerability for Serv-U

CVE-2021-35245

8.4 High

12/02/202112/02/2021

Serv-U 15.2.5

HTTP TRACK and TRACK Methods Enabled Vulnerability

CVE-2021-35233

5.3 Medium

10/19/2021

Kiwi Syslog Server 9.8

Clickjacking Vulnerability

CVE-2021-35237

5.0 Medium

10/19/2021

Kiwi Syslog Server 9.8

Missing Secure Flag from SSL Cookie Vulnerability

CVE-2021-35236

3.1 Low

10/19/2021

Kiwi Syslog Server 9.8

ASP.NET Debug Feature Enabled Vulnerability

CVE-2021-35235

5.3 Medium

10/19/2021

Kiwi Syslog Server 9.8

Unquoted Path Vulnerability - SMB Login

CVE-2021-35231

6.7 Medium

10/19/2021

Kiwi Syslog Server 9.8

Unquoted Path Vulnerability (SMB Login) with Kiwi CatTools

CVE-2021-35230

6.7 Medium

10/19/2021

Kiwi CatTools 3.12

Reflected Cross Site Scripting affecting SolarWinds: DPA 2021.3.7388

CVE-2021-35228

5.5 Medium

10/19/2021

DPA 2021.3.7438

Insecure Web Header Vulnerability - RabbitMQLogin

CVE-2021-35227

4.7 Medium

10/19/2021

ARM 2021.4

NPM Netpath Horizontal Privilege Escalation Vulnerability

CVE-2021-35225

5.0 Medium

10/19/2021

NPM 2020.2.6 HF2

Critical bug in SolarWinds Web Help Desk allows an attacker to execute Arbitrary Hibernate Queries

CVE-2021-35232

6.8 Medium

09/13/2021

Web Help Desk 12.7.7 Hotfix 1

Pingdom Session Management Vulnerability

CVE-2021-35214

4.8 Medium

09/13/2021

Pingdom

Execute Command Function Allows RCE Vulnerability

CVE-2021-35223

8.5 High

08/20/2021

Serv-U 15.2.4

Insecure Deserialization Of Untrusted Data Causing Remote Code Execution Vulnerability

CVE-2021-35217

8.9 High

08/20/2021

Patch Manager 2020.2.6 HF1

Access Restriction Bypass Via Referrer Spoof - Business Logic Bypass Vulnerability

CVE-2021-32076

5.8 Medium

08/20/2021

Web Help Desk 12.7.6

Stored XSS Via Help Server Setting Vulnerability

CVE-2021-35240

6.5 High

07/20/202108/24/2021

Orion Platform 2020.2.6 HF1

Stored XSS Via Maps Text Box Hyperlink Vulnerability

CVE-2021-35239

7.5 High

07/20/202108/24/2021

Orion Platform 2020.2.6 HF1

Stored XSS Through URL POST Parameter In CreateExternalWebsite Vulnerability

CVE-2021-35238

7.1 High

07/20/202108/24/2021

Orion Platform 2020.2.6 HF1

ActionPluginBaseView Deserialization of Untrusted Data RCE Vulnerability

CVE-2021-35215

8.9 High

07/15/2021

Orion Platform 2020.2.6

Resource.aspx Reflected Cross-Site Scripting Vulnerability

CVE-2021-35222

8.0 High

07/15/202108/24/2021

Orion Platform 2020.2.6 HF1

ImportAlert Improper Access Control Tampering Vulnerability

CVE-2021-35221

6.3 Medium

07/15/202108/24/2021

Orion Platform 2020.2.6 HF 1

EmailWebPage Command Injection Remote Code Execution Vulnerability

CVE-2021-35220

8.1 High

07/15/202108/24/2021

Orion Platform 2020.2.6 HF1

ExportToPdfCmd Arbitrary File Read Information Disclosure Vulnerability

CVE-2021-35219

6.0 Medium

07/15/202108/24/2021

Orion Platform 2020.2.6 HF1

Chart Endpoint Deserialization of Untrusted Data RCE Vulnerability

CVE-2021-35218

8.9 High

07/15/2021

Patch Manager 2020.2.6

Insecure Deserialization Of Untrusted Data Causing Remote Code Execution Vulnerability

CVE-2021-35216

8.9 High

07/15/2021

Patch Manager 2020.2.6

Orion User setting Improper Access Control Privilege Escalation Vulnerability

CVE-2021-35213

8.9 High

07/15/2021

Orion Platform 2020.2.6

Blind SQL Injection Vulnerability

CVE-2021-35212

8.9 High

07/15/2021

Orion Platform 2020.2.5 HF1, 2020.2.6, 2019.4.2, 2019.2 HF4

Privilege Escalation Vulnerability

CVE-2021-31217

6.5 Medium

07/15/2021

Dameware 12.2

Serv-U Remote Memory Escape Vulnerability

CVE-2021-35211

9.0 Critical

07/09/202107/15/2021

Serv-U 15.2.3 HF2

Broken Access Control On Node Management Vulnerability

CVE-2021-28674

4.6 Medium

05/13/2021

Orion Platform 2020.2.6, 2020.2.5 HF1

SenderEmail Parameter XSS Vulnerability

CVE-2021-32604

6.9 Medium

05/05/2021

Serv-U 15.2.3

SolarWinds Orion Job Scheduler Remote Code Execution Vulnerability

CVE-2021-31475

8.8 High

03/25/2021

Orion Platform 2020.2.5

RCE via Actions and JSON Deserialization Vulnerability

CVE-2021-31474 

9.1 Critical

03/25/2021

Orion Platform 2020.2.5

Reverse Tabnabbing and Open Redirect Vulnerability

CVE-2021-3109

4.3 Medium

03/25/2021

Orion Platform 2020.2.5

Deserialization of Untrusted Data Privilege Escalation Vulnerability

CVE-2021-27277

8.8 High

03/25/202104/14/2021

SAM 2020.2.5

SaveUserSetting Improper Access Control Privilege Escalation Vulnerability

CVE-2021-27258

8.9 High

03/25/2021

Orion Platform 2020.2.4

Unprivileged Users can get DBO owner Access Vulnerability

CVE-2021-25275

8.2 High

02/05/2021

Web Help Desk 12.7.7 HF1

MSMQ Remote Code Execution Vulnerability

CVE-2021-25274

8.3 High

02/05/2021

Orion Platform 2020.2.4, 2019.4.2, 2019.2 HF4

Windows "Users" Directory Weak ACLs Vulnerability

CVE-2021-25276

8.8 High

01/18/202102/04/2021

Serv-U 15.2.2 HF 1

Deserialization of Untrusted Data Privilege Escalation Vulnerability

CVE-2021-27240

8.7 High

12/15/2020

Patch Manager 2020.2.1 HF 1

Heap Memory Corruption With RSA Private Key Operation

CVE-2022-2274

9.8 Critical