CVE-2022-36961 - OpenCVE

A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Orion Platform

Configuration 1 [-]

cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961

History

Mon, 16 Sep 2024 20:45:00 +0000

Type	Values Removed	Values Added
Description	A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.	A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2022-09-30T16:06:10.288797Z

Updated: 2024-09-16T20:31:16.687Z

Reserved: 2022-07-27T00:00:00

Link: CVE-2022-36961

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-09-30T17:15:13.010

Modified: 2024-09-16T21:15:44.850

Link: CVE-2022-36961

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Orion Platform", "vendor": "SolarWinds", "versions": [{"lessThan": "2022.2.3", "status": "affected", "version": "2022.2.3 and previous versions", "versionType": "custom"}]}], "datePublic": "2022-09-27T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.</p>"}], "value": "A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T16:46:36.401Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)</p>"}], "value": "All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)"}], "source": {"defect": ["CVE-2022-36961"], "discovery": "UNKNOWN"}, "title": "Orion Platform SQL Injection Privilege Escalation Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@solarwinds.com", "DATE_PUBLIC": "2022-09-28T14:35:00.000Z", "ID": "CVE-2022-36961", "STATE": "PUBLIC", "TITLE": "Orion Platform SQL Injection Privilege Escalation Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Orion Platform", "version": {"version_data": [{"version_affected": "<", "version_name": "2022.2.3 and previous versions", "version_value": "2022.2.3"}]}}]}, "vendor_name": "SolarWinds"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961", "refsource": "CONFIRM", "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}, {"name": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm", "refsource": "CONFIRM", "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}]}, "solution": [{"lang": "en", "value": "All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)"}], "source": {"defect": ["CVE-2022-36961"], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:21:32.333Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}]}]}, "cveMetadata": {"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "assignerShortName": "SolarWinds", "cveId": "CVE-2022-36961", "datePublished": "2022-09-30T16:06:10.288797Z", "dateReserved": "2022-07-27T00:00:00", "dateUpdated": "2024-09-16T20:31:16.687Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "B721D56C-DD6B-4C63-8438-5B888332D9B6", "versionEndIncluding": "2022.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution."}, {"lang": "es", "value": "Un verbo usado en Orion era vulnerable a una inyecci\u00f3n de SQL, un atacante autenticado podr\u00eda aprovechar esto para la escalada de privilegios o una ejecuci\u00f3n de c\u00f3digo remota"}], "id": "CVE-2022-36961", "lastModified": "2024-09-16T21:15:44.850", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@solarwinds.com", "type": "Secondary"}]}, "published": "2022-09-30T17:15:13.010", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "psirt@solarwinds.com", "type": "Secondary"}]}