Privilege Escalation Vulnerability in SolarWinds Orion Platform by SolarWinds
CVE-2021-27258

9.8CRITICAL

Key Information:

Vendor: Solarwinds
Status: Orion Platform
Vendor: CVE Published:; 14 April 2021

Summary

A vulnerability in the SolarWinds Orion Platform allows remote attackers to escalate their privileges from Guest to Administrator without authentication. The flaw lies within the SaveUserSetting endpoint, which fails to properly restrict access for unprivileged users. This oversight enables attackers to manipulate user roles, posing serious security risks to affected installations. Reference ZDI-CAN-11903 for more details on this significant security issue.

Affected Version(s)

Orion Platform 2020.2

References

https://www.zerodayinitiative.com/advisories/ZDI-21-192/

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 14, 2021
Vulnerability Reserved
Feb 16, 2021

Credit

Anonymous