Main Vulnerability Database Vulnerabilities #VU69540

#VU69540 OS Command Injection in Orion Platform - CVE-2022-36962

Published: November 23, 2022 / Updated: November 23, 2022

Vulnerability identifier: #VU69540

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-36962

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Orion Platform

Software vendor:
SolarWinds

Description

The vulnerability allows a remote user to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation within the GetPdf function. A remote privileged user with complete control over the SolarWinds database can pass specially crafted data to the application and execute arbitrary OS commands on the target system.

Remediation

Install updates from vendor's website.

External links

https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36962
https://www.zerodayinitiative.com/advisories/ZDI-22-1663/