Vulnerability Details : CVE-2022-38115
Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT
Products affected by CVE-2022-38115
- cpe:2.3:a:solarwinds:security_event_manager:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-38115
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 34 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-38115
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
3.9
|
1.4
|
SolarWinds |
CWE ids for CVE-2022-38115
-
Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.Assigned by: nvd@nist.gov (Primary)
-
The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.Assigned by: psirt@solarwinds.com (Secondary)
References for CVE-2022-38115
-
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115
SolarWinds Trust Center Security Advisories | CVE-2022-38115Vendor Advisory
-
https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm
SEM 2022.4 Release NotesRelease Notes;Vendor Advisory
Jump to