CVE-2021-35218

HIGH8.9

High EPSS

Description

Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

Low

Affected products

SolarWinds / Patch Manager2020.5 and previous versions – 2020.2.6

References

MISChttps://documentation.solarwinds.com/en/success_center/patchman/content/release_notes/patchman_2020-2-6_release_notes.htm
VENDOR_ADVISORYhttps://www.solarwinds.com/trust-center/security-advisories/cve-2021-35218
VENDOR_ADVISORYhttps://www.zerodayinitiative.com/advisories/ZDI-21-1248/