OpenCVE

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds	Solarwinds Platform

Configuration 1 [-]

cpe:2.3:a:solarwinds:solarwinds_platform:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062

History

No history.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-11-01T15:29:56.898Z

Updated: 2024-09-05T19:40:57.255Z

Reserved: 2023-08-08T23:22:08.619Z

Link: CVE-2023-40062

Vulnrichment

Updated: 2024-08-02T18:24:54.791Z

NVD

Status : Modified

Published: 2023-11-01T16:15:08.697

Modified: 2024-11-21T08:18:37.847

Link: CVE-2023-40062

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40062", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "state": "PUBLISHED", "assignerShortName": "SolarWinds", "dateReserved": "2023-08-08T23:22:08.619Z", "datePublished": "2023-11-01T15:29:56.898Z", "dateUpdated": "2024-09-05T19:40:57.255Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SolarWinds Platform ", "vendor": "SolarWinds ", "versions": [{"status": "affected", "version": "2023.3.1 and previous versions "}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges."}], "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-11-01T15:29:56.898Z"}, "references": [{"url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4<br>"}], "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.791Z"}, "title": "CVE Program Container", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm", "tags": ["x_transferred"]}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T19:40:44.516095Z", "id": "CVE-2023-40062", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:40:57.255Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm", "tags": ["x_transferred"]}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.791Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40062", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-05T19:40:44.516095Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:40:53.368Z"}}], "cna": {"title": "Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SolarWinds ", "product": "SolarWinds Platform ", "versions": [{"status": "affected", "version": "2023.3.1 and previous versions "}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4\n", "supportingMedia": [{"type": "text/html", "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4<br>", "base64": false}]}], "references": [{"url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.", "supportingMedia": [{"type": "text/html", "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-11-01T15:29:56.898Z"}}}, "cveMetadata": {"cveId": "CVE-2023-40062", "state": "PUBLISHED", "dateUpdated": "2024-09-05T19:40:57.255Z", "dateReserved": "2023-08-08T23:22:08.619Z", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "datePublished": "2023-11-01T15:29:56.898Z", "assignerShortName": "SolarWinds"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:solarwinds_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E114AB2-88D7-4C75-B640-6B2301A2F3F1", "versionEndExcluding": "2023.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges."}, {"lang": "es", "value": "Lista Incompleta de Entradas no Permitidas de la Plataforma SolarWinds vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo. Si se ejecuta, esta vulnerabilidad permitir\u00eda a un usuario con pocos privilegios ejecutar comandos con permisos de SYSTEM."}], "id": "CVE-2023-40062", "lastModified": "2024-11-21T08:18:37.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-01T16:15:08.697", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@solarwinds.com", "type": "Secondary"}]}