CVE-2023-23842

The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-3_release_notes.htm	Release Notes Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23842	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:solarwinds:network_configuration_monitor:*:*:*:*:*:*:*:*

History

03 Aug 2023, 13:49

Type	Values Removed	Values Added
First Time		Solarwinds Solarwinds network Configuration Monitor
CPE		cpe:2.3:a:solarwinds:network_configuration_monitor::::::::
References	~~(MISC) https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-3_release_notes.htm -~~	(MISC) https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-3_release_notes.htm - Release Notes, Vendor Advisory
References	~~(MISC) https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23842 -~~	(MISC) https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23842 - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.2
CWE		CWE-22

26 Jul 2023, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-07-26 15:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-23842

Mitre link : CVE-2023-23842

CVE.ORG link : CVE-2023-23842

JSON object : View

Products Affected

solarwinds

network_configuration_monitor

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-23842", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "psirt@solarwinds.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-07-26T15:15:10.167", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/ncm/content/release_notes/ncm_2023-3_release_notes.htm", "tags": ["Release Notes", "Vendor Advisory"], "source": "psirt@solarwinds.com"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-23842", "tags": ["Vendor Advisory"], "source": "psirt@solarwinds.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "psirt@solarwinds.com", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands."}, {"lang": "es", "value": "SolarWinds Network Configuration Manager era susceptible a la vulnerabilidad de Directory Traversal. Esta vulnerabilidad permite a los usuarios con acceso administrativo a SolarWinds Web Console ejecutar comandos arbitrarios."}], "lastModified": "2023-10-30T19:43:24.260", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:network_configuration_monitor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C5453E8E-48E2-44AC-AB26-02538097C35B", "versionEndExcluding": "2023.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@solarwinds.com"}