CVE-2023-40058 - Vulnerability Details - OpenCVE

Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00266.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Access Rights Manager

Configuration 1 [-]

cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-44665	Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment.

Fixes

Solution

All SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.2

Workaround

https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWi... https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWinds-ARM

References

Link	Providers
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058

History

No history.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-12-21T16:14:48.077Z

Updated: 2024-08-27T15:01:09.799Z

Reserved: 2023-08-08T23:22:08.618Z

Link: CVE-2023-40058

Vulnrichment

Updated: 2024-08-02T18:24:54.655Z

NVD

Status : Modified

Published: 2023-12-21T17:15:07.763

Modified: 2024-11-21T08:18:37.423

Link: CVE-2023-40058

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40058", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "state": "PUBLISHED", "assignerShortName": "SolarWinds", "dateReserved": "2023-08-08T23:22:08.618Z", "datePublished": "2023-12-21T16:14:48.077Z", "dateUpdated": "2024-08-27T15:01:09.799Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Access Rights Manager", "vendor": "SolarWinds", "versions": [{"lessThanOrEqual": "2023.2.1", "status": "affected", "version": "previous versions", "versionType": "2023.2.1"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anonymous working with Trend Micro Zero Day Initiative"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. <br>\n\n\n\n\n\n"}], "value": "Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. \n\n\n\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2024-01-04T13:33:57.792Z"}, "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.2<br>"}], "value": "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.2\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Sensitive Information Disclosure Vulnerability ", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWinds-ARM\">https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWi...</a><br>"}], "value": " https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWi... https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWinds-ARM \n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.655Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-27T14:50:37.212340Z", "id": "CVE-2023-40058", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T15:01:09.799Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.655Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40058", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-27T14:50:37.212340Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-27T15:01:03.147Z"}}], "cna": {"title": "Sensitive Information Disclosure Vulnerability ", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anonymous working with Trend Micro Zero Day Initiative"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SolarWinds", "product": "Access Rights Manager", "versions": [{"status": "affected", "version": "previous versions", "versionType": "2023.2.1", "lessThanOrEqual": "2023.2.1"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.2\n", "supportingMedia": [{"type": "text/html", "value": "\n\nAll SolarWinds Access Rights Manager customers are advised to upgrade to the latest version of the SolarWinds Access Rights Manager 2023.2.2<br>", "base64": false}]}], "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058"}], "workarounds": [{"lang": "en", "value": " https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWi... https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWinds-ARM \n", "supportingMedia": [{"type": "text/html", "value": "<a target=\"_blank\" rel=\"nofollow\" href=\"https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWinds-ARM\">https://support.solarwinds.com/SuccessCenter/s/article/Creating-a-unique-RabbitMQ-account-in-SolarWi...</a><br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. \n\n\n\n\n\n\n", "supportingMedia": [{"type": "text/html", "value": "Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. <br>\n\n\n\n\n\n", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2024-01-04T13:33:57.792Z"}}}, "cveMetadata": {"cveId": "CVE-2023-40058", "state": "PUBLISHED", "dateUpdated": "2024-08-27T15:01:09.799Z", "dateReserved": "2023-08-08T23:22:08.618Z", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "datePublished": "2023-12-21T16:14:48.077Z", "assignerShortName": "SolarWinds"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:access_rights_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "6285B061-B997-46F8-817E-8485E00E4FD9", "versionEndIncluding": "2023.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. \n\n\n\n\n\n\n"}, {"lang": "es", "value": "Se agregaron datos confidenciales a nuestra base de conocimiento p\u00fablica que, si se explotan, podr\u00edan usarse para acceder a componentes de Access Rights Manager (ARM) si el actor de la amenaza se encuentra en el mismo entorno."}], "id": "CVE-2023-40058", "lastModified": "2024-11-21T08:18:37.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2023-12-21T17:15:07.763", "references": [{"source": "psirt@solarwinds.com", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40058"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "psirt@solarwinds.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}