CVE-2023-40062 - Vulnerability Details - OpenCVE

SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.02414.

Key SSVC decision points have not yet been added.

Vendors	Products
Solarwinds Subscribe	Solarwinds Platform Subscribe

Configuration 1 [-]

cpe:2.3:a:solarwinds:solarwinds_platform:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-44669	SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.

Fixes

Solution

All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4

Workaround

No workaround given by the vendor.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062

History

No history.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2023-11-01T15:29:56.898Z

Updated: 2024-09-05T19:40:57.255Z

Reserved: 2023-08-08T23:22:08.619Z

Link: CVE-2023-40062

Vulnrichment

Updated: 2024-08-02T18:24:54.791Z

NVD

Status : Modified

Published: 2023-11-01T16:15:08.697

Modified: 2024-11-21T08:18:37.847

Link: CVE-2023-40062

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-20

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40062", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "state": "PUBLISHED", "assignerShortName": "SolarWinds", "dateReserved": "2023-08-08T23:22:08.619Z", "datePublished": "2023-11-01T15:29:56.898Z", "dateUpdated": "2024-09-05T19:40:57.255Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SolarWinds Platform ", "vendor": "SolarWinds ", "versions": [{"status": "affected", "version": "2023.3.1 and previous versions "}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges."}], "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges."}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-11-01T15:29:56.898Z"}, "references": [{"url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4<br>"}], "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4\n"}], "source": {"discovery": "UNKNOWN"}, "title": "Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.791Z"}, "title": "CVE Program Container", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm", "tags": ["x_transferred"]}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-05T19:40:44.516095Z", "id": "CVE-2023-40062", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:40:57.255Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm", "tags": ["x_transferred"]}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:54.791Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40062", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-05T19:40:44.516095Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-05T19:40:53.368Z"}}], "cna": {"title": "Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative"}], "impacts": [{"capecId": "CAPEC-153", "descriptions": [{"lang": "en", "value": "CAPEC-153 Input Data Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SolarWinds ", "product": "SolarWinds Platform ", "versions": [{"status": "affected", "version": "2023.3.1 and previous versions "}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4\n", "supportingMedia": [{"type": "text/html", "value": "All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.4<br>", "base64": false}]}], "references": [{"url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.", "supportingMedia": [{"type": "text/html", "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-11-01T15:29:56.898Z"}}}, "cveMetadata": {"cveId": "CVE-2023-40062", "state": "PUBLISHED", "dateUpdated": "2024-09-05T19:40:57.255Z", "dateReserved": "2023-08-08T23:22:08.619Z", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "datePublished": "2023-11-01T15:29:56.898Z", "assignerShortName": "SolarWinds"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:solarwinds_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E114AB2-88D7-4C75-B640-6B2301A2F3F1", "versionEndExcluding": "2023.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges."}, {"lang": "es", "value": "Lista Incompleta de Entradas no Permitidas de la Plataforma SolarWinds vulnerabilidad de Ejecuci\u00f3n Remota de C\u00f3digo. Si se ejecuta, esta vulnerabilidad permitir\u00eda a un usuario con pocos privilegios ejecutar comandos con permisos de SYSTEM."}], "id": "CVE-2023-40062", "lastModified": "2024-11-21T08:18:37.847", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-01T16:15:08.697", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://documentation.solarwinds.com/en/success_center/hco/content/release_notes/hco_2023-4_release_notes.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-40062"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@solarwinds.com", "type": "Secondary"}]}