First published: Wed Sep 08 2021(Updated: )
Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.
Credit: psirt@solarwinds.com
Affected Software | Affected Version | How to fix |
---|---|---|
SolarWinds Patch Manager | <=2020.2.5 | |
SolarWinds recommends upgrading to both the latest version of Patch Manager and Orion Integration Module as soon as it becomes available.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2021-35217 is high with a CVSS score of 8.8.
CVE-2021-35217 allows remote attackers to execute arbitrary code on affected installations of SolarWinds Patch Manager.
Yes, authentication is required to exploit CVE-2021-35217.
The specific flaw in CVE-2021-35217 exists within the WSAsyncExecuteTasks endpoint due to the lack of proper validation.
To fix CVE-2021-35217 in SolarWinds Patch Manager, it is recommended to apply the latest security patches and updates provided by SolarWinds.