PT-2021-17362 · Solarwinds · Solarwinds Orion Platform

Chudypb

Published

2021-04-14

Updated

2022-07-29

CVE-2021-27258

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: SolarWinds Orion Platform version 2020.2

Description: This issue allows remote attackers to escalate privileges on affected installations. Authentication is not required to exploit this issue. The specific flaw exists within the "SaveUserSetting" endpoint, resulting from improper restriction of this endpoint to unprivileged users. An attacker can leverage this issue to escalate privileges from Guest to Administrator.

Recommendations: For SolarWinds Orion Platform version 2020.2, restrict access to the "SaveUserSetting" endpoint to prevent unprivileged users from exploiting this issue. As a temporary workaround, consider disabling the "SaveUserSetting" endpoint until a patch is available.

Fix

Improper Access Control

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284

Related Identifiers

CVE-2021-27258

ZDI-21-192

Affected Products

Solarwinds Orion Platform

PT-2021-17362 · Solarwinds · Solarwinds Orion Platform

CVE-2021-27258

Weakness Enumeration

Related Identifiers

Affected Products

References · 4