SQL injection in Orion Platform - CVE-2021-35234
Published: December 21, 2021 / Updated: December 27, 2021
Vulnerability identifier: #VU59075
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-35234
CWE-ID: CWE-89
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Orion Platform
Orion Platform
Software vendor:
SolarWinds
SolarWinds
Description
The vulnerability allows a remote user to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can send a specially crafted request to the affected application and exfiltrate data from the application database. Successful exploitation of the vulnerability may lead to privilege escalation.
Remediation
Install update from vendor's website.
External links
- https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-3
- https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35234
- https://www.zerodayinitiative.com/advisories/ZDI-21-1604/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1603/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1602/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1601/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1600/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1599/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1598/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1597/
- https://www.zerodayinitiative.com/advisories/ZDI-21-1596/