Vulnerability Details : CVE-2021-35244
The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution.
Vulnerability category: Execute code
Products affected by CVE-2021-35244
- cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*
- cpe:2.3:a:solarwinds:orion_platform:2020.2.6:-:*:*:*:*:*:*
- cpe:2.3:a:solarwinds:orion_platform:2020.2.6:hotfix1:*:*:*:*:*:*
- cpe:2.3:a:solarwinds:orion_platform:2020.2.6:hotfix2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-35244
0.71%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 80 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-35244
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.5
|
HIGH | AV:N/AC:M/Au:S/C:C/I:C/A:C |
6.8
|
10.0
|
NIST | |
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
6.8
|
MEDIUM | CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L |
1.0
|
5.3
|
SolarWinds |
CWE ids for CVE-2021-35244
-
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-35244
-
https://www.zerodayinitiative.com/advisories/ZDI-22-375/
ZDI-22-375 | Zero Day InitiativeThird Party Advisory;VDB Entry
-
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35242
Page Not Found.Not Applicable;Vendor Advisory
-
https://documentation.solarwinds.com/en/Success_Center/orionplatform/content/core-secure-configuration.htm
Secure Configuration for the Orion PlatformVendor Advisory
-
https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-3?language=en_US
Article DetailRelease Notes;Vendor Advisory
Jump to