CVE-2019-12864

Name of the Vulnerable Software and Affected Versions: SolarWinds Orion Platform version 2018.4 HF3 (NPM 12.4, NetPath 1.1.4)

Description: The issue is related to improper error handling with stack traces, which can lead to information leakage. This can be demonstrated by discovering a full pathname upon a 500 Internal Server Error via the "api2/swis/query?lang=en-us&swAlertOnError=false" query parameter.

Recommendations: For SolarWinds Orion Platform version 2018.4 HF3 (NPM 12.4, NetPath 1.1.4), consider disabling the api2/swis/query endpoint until a patch is available to prevent information leakage. Restrict access to the lang and swAlertOnError parameters in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.