CVE-2023-23836

CVSS v2.0

9.0

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SolarWinds Platform version 2022.4.1

Description The issue is related to the deserialization of untrusted data in the SolarWinds Orion Platform, which can be exploited by a remote adversary with admin-level access to the SolarWinds Web Console. This allows the execution of arbitrary commands. The vulnerability is associated with deficiencies in the deserialization mechanism.

Recommendations For SolarWinds Platform version 2022.4.1, consider disabling the

CredentialInitializer

function as a temporary workaround until a patch is available. Restrict access to the SolarWinds Web Console to minimize the risk of exploitation. Avoid using the deserialization mechanism with untrusted data until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2023-07700

CVE-2023-23836

ZDI-23-170

Affected Products

Solarwinds Orion Platform

Solarwinds Platform

Solarwinds Web Console

CVE-2023-23836

Weakness Enumeration

Related Identifiers

Affected Products

References · 9