CVE-2020-12608

7.8HIGH

Key Information:

Vendor
Solarwinds
Status
Managed Service Provider Patch Management Engine
Vendor
CVE Published:
7 May 2020

Summary

An issue was discovered in SolarWinds MSP PME (Patch Management Engine) Cache Service before 1.1.15 in the Advanced Monitoring Agent. There are insecure file permissions for %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\config. This can lead to code execution by changing the CacheService.xml SISServerURL parameter.

References

https://github.com/jensregel/Advisories/tree/master/CVE-2...
x_refsource_MISC
http://packetstormsecurity.com/files/157591/SolarWinds-MS...
x_refsource_MISC
http://seclists.org/fulldisclosure/2020/May/23
mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.