CVE-2021-35244
Summary
| CVE | CVE-2021-35244 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-12-20 21:15:00 UTC |
| Updated | 2022-03-17 17:54:00 UTC |
| Description | The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution. |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Microsoft | Windows | - | All | All | All |
| Application | Solarwinds | Orion Platform | All | All | All | All |
| Application | Solarwinds | Orion Platform | 2020.2.6 | - | All | All |
| Application | Solarwinds | Orion Platform | 2020.2.6 | hotfix1 | All | All |
| Application | Solarwinds | Orion Platform | 2020.2.6 | hotfix2 | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| ZDI-22-375 | Zero Day Initiative | MISC | www.zerodayinitiative.com | |
| Success Center | MISC | support.solarwinds.com | |
| Secure Configuration for the Orion Platform | MISC | documentation.solarwinds.com | |
| SolarWinds Trust Center Security Advisories | CVE-2021-35242 | MISC | www.solarwinds.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: dibs working with Trend Micro's Zero Day Initiative.
There are currently no legacy QID mappings associated with this CVE.