CVE-2019-12864 - OpenCVE

SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the api2/swis/query?lang=en-us&swAlertOnError=false query parameter.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:L/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Netpath Network Performance Monitor Orion Platform

Configuration 1 [-]

OR	cpe:2.3:a:solarwinds:netpath:1.1.4:::::::*
	cpe:2.3:a:solarwinds:network_performance_monitor:12.4:::::::*
	cpe:2.3:a:solarwinds:orion_platform:2018.4:hotfix3::::::

No data.

References

Link	Providers
https://www.esecforte.com/network-performance-monitor-india-esec-forte-technologies/
https://www.solarwinds.com/network-performance-monitor

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-05-04T13:30:46

Updated: 2024-08-04T23:32:55.509Z

Reserved: 2019-06-16T00:00:00

Link: CVE-2019-12864

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-05-04T14:15:12.763

Modified: 2021-07-21T11:39:23.747

Link: CVE-2019-12864

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the api2/swis/query?lang=en-us&swAlertOnError=false query parameter."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-04T13:30:46", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.solarwinds.com/network-performance-monitor"}, {"tags": ["x_refsource_MISC"], "url": "https://www.esecforte.com/network-performance-monitor-india-esec-forte-technologies/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-12864", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the api2/swis/query?lang=en-us&swAlertOnError=false query parameter."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.solarwinds.com/network-performance-monitor", "refsource": "MISC", "url": "https://www.solarwinds.com/network-performance-monitor"}, {"name": "https://www.esecforte.com/network-performance-monitor-india-esec-forte-technologies/", "refsource": "MISC", "url": "https://www.esecforte.com/network-performance-monitor-india-esec-forte-technologies/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T23:32:55.509Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.solarwinds.com/network-performance-monitor"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.esecforte.com/network-performance-monitor-india-esec-forte-technologies/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-12864", "datePublished": "2020-05-04T13:30:46", "dateReserved": "2019-06-16T00:00:00", "dateUpdated": "2024-08-04T23:32:55.509Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:netpath:1.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "F909CC55-E476-4D58-8169-5FE46670AFE6", "vulnerable": true}, {"criteria": "cpe:2.3:a:solarwinds:network_performance_monitor:12.4:*:*:*:*:*:*:*", "matchCriteriaId": "DCF8FA42-503B-4EDE-81B0-AE25A654E623", "vulnerable": true}, {"criteria": "cpe:2.3:a:solarwinds:orion_platform:2018.4:hotfix3:*:*:*:*:*:*", "matchCriteriaId": "EADD78FC-8E9C-468F-BF35-76D29047898F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the api2/swis/query?lang=en-us&swAlertOnError=false query parameter."}, {"lang": "es", "value": "Orion Platform versi\u00f3n 2018.4 HF3 de SolarWinds (NPM versi\u00f3n 12.4, NetPath versi\u00f3n 1.1.4), es vulnerable a una Filtraci\u00f3n de Informaci\u00f3n, debido al manejo inapropiado de errores con rastros de pila, como es demostrado al detectar una ruta completa en un Error de Servidor Interno 500 mediante el par\u00e1metro query de api2/swis/query?lang=en-us&swAlertOnError=false."}], "id": "CVE-2019-12864", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-05-04T14:15:12.763", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.esecforte.com/network-performance-monitor-india-esec-forte-technologies/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/network-performance-monitor"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}