Hi, what are you looking for?
SolarWinds has patched two high-severity vulnerabilities that could lead to command execution and privilege escalation.
Two high-severity vulnerabilities patched recently in SolarWinds Platform could lead to command execution and privilege escalation.
The most severe of the two issues is CVE-2022-36963 (CVSS score of 8.8), which is described as a command injection bug in SolarWinds’ infrastructure monitoring and management solution.
The flaw, the company explains, can be exploited remotely to execute arbitrary commands. Successful exploitation of the vulnerability requires that the attacker is in the possession of credentials for a valid SolarWinds Platform admin account.
Tracked as CVE-2022-47505 (CVSS score of 7.8), the second high-severity issue is described as a local privilege escalation flaw.
“This vulnerability allows a local adversary with a valid system user account to escalate local privileges,” SolarWinds explains.
Both issues were reported by Trend Micro Zero Day Initiative researchers and both were addressed with the release of SolarWinds Platform version 2023.2.
The software release also resolves CVE-2022-47509, a medium-severity incorrect input neutralization vulnerability that could be exploited remotely to append URL parameters to inject HTML code. A valid account is required to exploit the issue.
SolarWinds also addressed two medium-severity bugs in Database Performance Analyzer, one leading to sensitive information disclosure and another allowing users to enumerate to different folders of the server.
Database Performance Analyzer version 2023.2 resolves both vulnerabilities.
SolarWinds makes no mention of any of these flaws being exploited in attacks. Additional details on the bugs can be found on the SolarWinds security advisories page.
Related: SolarWinds Announces Upcoming Patches for High-Severity Vulnerabilities
Related: SolarWinds Warns of Attacks Targeting Web Help Desk Users
Related: SolarWinds Patches Serv-U Vulnerability Propagating Log4j Attacks
Ionut Arghire is an international correspondent for SecurityWeek.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.
Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.
There are key steps every organization should take to leverage threat and event data across the lifecycle of a cyber incident. (Marc Solomon)
The Cybersecurity Resilience Quotient empowers organizations to assess their security posture comprehensively, considering asset exposure, vulnerabilities, and criticality alongside process and network architecture and disaster recovery plans. (Rik Ferguson)
By implementing strong security practices,, organizations can significantly reduce the risks associated with lost and stolen computers and safeguard their sensitive information. (Torsten George)
While there is quite a bit of buzz and hype around AI, it is a technology that can add tremendous value to security programs. (Joshua Goldfarb)
Addressing the people problem with effective approaches and tools for users and security practitioners will enable us to work smarter, and force attackers into a position where they must work harder. (Marc Solomon)
Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher…
OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an…
The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be…
A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car…
A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable…
Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.
Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.
The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.