#VU57644 Permissions, Privileges, and Access Controls in Orion Platform - CVE-2021-35213
Published: October 26, 2021 / Updated: October 28, 2021
Vulnerability identifier: #VU57644
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-35213
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Orion Platform
Orion Platform
Software vendor:
SolarWinds
SolarWinds
Description
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in the User Setting of Orion Platform within the SaveUserSetting endpoint. A remote authenticated guest can gain administrative privileges within the application.
Remediation
Install updates from vendor's website.
External links
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35213
- https://www.zerodayinitiative.com/advisories/ZDI-21-1244/