CVE-2021-28674

MEDIUM

Solarwinds Orion Platform < 2020.2.5 - Incorrect Authorization

Title source: rule

Description

The node management page in SolarWinds Orion Platform before 2020.2.5 HF1 allows an attacker to create or delete a node (outside of the attacker's perimeter) via an account with write permissions. This occurs because node IDs are predictable (with incrementing numbers) and the access control on Services/NodeManagement.asmx/DeleteObjNow is incorrect. To exploit this, an attacker must be authenticated and must have node management rights associated with at least one valid group on the platform.

References (2)

[Third Party Advisory] https://pastebin.com/zFUd2cCj

[Patch, Vendor Advisory] https://www.solarwinds.com/trust-center/security-advisories/cve-2021-28674

Scores

CVSS v3 5.4

EPSS 0.0050

EPSS Percentile 66.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Details

CWE

CWE-330 CWE-863

Status published

Products (1)

solarwinds/orion_platform < 2020.2.5

Published Jul 30, 2021

Tracked Since Feb 18, 2026