Main Vulnerability Database Vulnerabilities #VU49924

#VU49924 Path traversal in Orion Platform and Orion Network Performance Monitor - CVE-2020-27871

Published: January 22, 2021

Vulnerability identifier: #VU49924

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:H/E:U/U:Green

CVE-ID: CVE-2020-27871

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Orion Platform
Orion Network Performance Monitor

Software vendor:
SolarWinds

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within VulnerabilitySettings.aspx in SolarWinds Network Performance Monitor. A remote user can send a specially crafted HTTP request and create arbitrary files on the system in arbitrary directories.

Successful exploitation of the vulnerability can lead to arbitrary code execution in the context of SYSTEM account.

Remediation

Install update from vendor's website.

External links

https://www.zerodayinitiative.com/advisories/ZDI-21-067/

#VU49924 Path traversal in Orion Platform and Orion Network Performance Monitor - CVE-2020-27871

Description

Remediation

External links

Please verify you're human