Vulnerabilities > CVE-2021-28674 - Incorrect Authorization vulnerability in Solarwinds Orion Platform

CVSS 5.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

solarwinds

CWE-863

NVD

Published: 2021-07-30

Updated: 2022-07-12

Summary

The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the access control on Services/NodeManagement.asmx/DeleteObjNow is incorrect. To exploit this, an attacker must be authenticated and must have node management rights associated with at least one valid group on the platform.

Vulnerable Configurations

Part	Description	Count
Application	Solarwinds Solarwinds Orion Platform 2016.1 Solarwinds Orion Platform 2016.2 Solarwinds Orion Platform 2017.1 Solarwinds Orion Platform 2017.3 Solarwinds Orion Platform 2018.2 Solarwinds Orion Platform 2018.4 Solarwinds Orion Platform 2019.2 Solarwinds Orion Platform 2019.4 Solarwinds Orion Platform 2019.4.2 Solarwinds Orion Platform 2020.2 Solarwinds Orion Platform 2020.2.1 Solarwinds Orion Platform 2020.2.4 Solarwinds Orion Platform 2020.2.5	46

Common Weakness Enumeration (CWE)

CWE-863 - Incorrect Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References