Vulnerability Details CVE-2021-35217
Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.601
EPSS Ranking 98.1%
CVSS Severity
CVSS v3 Score 8.9
CVSS v2 Score 6.5
References
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35217
- https://www.zerodayinitiative.com/advisories/ZDI-21-1247/
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35217
- https://www.zerodayinitiative.com/advisories/ZDI-21-1247/
Products affected by CVE-2021-35217
-
cpe:2.3:a:solarwinds:patch_manager:2.1.2
-
cpe:2.3:a:solarwinds:patch_manager:2.1.3
-
cpe:2.3:a:solarwinds:patch_manager:2.1.4
-
cpe:2.3:a:solarwinds:patch_manager:2.1.5
-
cpe:2.3:a:solarwinds:patch_manager:2.1.6
-
cpe:2.3:a:solarwinds:patch_manager:2.1.7
-
cpe:2.3:a:solarwinds:patch_manager:2019.4
-
cpe:2.3:a:solarwinds:patch_manager:2019.4.2
-
cpe:2.3:a:solarwinds:patch_manager:2020.2
-
cpe:2.3:a:solarwinds:patch_manager:2020.2.1
-
cpe:2.3:a:solarwinds:patch_manager:2020.2.4
-
cpe:2.3:a:solarwinds:patch_manager:2020.2.5