Description
An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDI Team. A blind Boolean SQL injection which could lead to full read/write over the Orion database content including the Orion certificate for any authenticated user.
CVSS breakdown
CVSS 3.1
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low
Affected products
- SolarWinds / Orion Platform2020.2.5 and previous versions – 2020.2.5 HF1
References
- MISChttps://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm
- MISChttps://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm
- VENDOR_ADVISORYhttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35212
- VENDOR_ADVISORYhttps://www.zerodayinitiative.com/advisories/ZDI-21-1243/