What is the severity of CVE-2022-36957?

The severity of CVE-2022-36957 is high with a severity value of 7.2.

How can remote attackers exploit CVE-2022-36957?

Remote attackers can exploit CVE-2022-36957 by executing arbitrary code on affected installations of SolarWinds Network Performance Monitor.

Is authentication required to exploit CVE-2022-36957?

Yes, authentication is required to exploit CVE-2022-36957.

What is the specific flaw in CVE-2022-36957?

The specific flaw in CVE-2022-36957 is within the PropertyBagJsonConverter due to the lack of proper input validation.

Which software installations are affected by CVE-2022-36957?

The vulnerability affects installations of SolarWinds Network Performance Monitor versions up to and including 2020.2.6, 2020.2.6-hotfix1, 2020.2.6-hotfix2, 2020.2.6-hotfix3, 2020.2.6-hotfix4, 2020.2.6-hotfix5, 2022.2, and 2022.3.

Vulnerability/
CVE-2022-36957

high

7.2

CWE

502

19/10/2022

3/8/2024

CVE-2022-36957: SolarWinds Network Performance Monitor PropertyBagJsonConverter Deserialization of Untrusted Data Remote Code Execution Vulnerability

First published: Wed Oct 19 2022(Updated: )

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Credit: psirt@solarwinds.com

Affected Software	Affected Version	How to fix
SolarWinds Orion Platform	<2020.2.6
SolarWinds Orion Platform	=2020.2.6
SolarWinds Orion Platform	=2020.2.6-hotfix1
SolarWinds Orion Platform	=2020.2.6-hotfix2
SolarWinds Orion Platform	=2020.2.6-hotfix3
SolarWinds Orion Platform	=2020.2.6-hotfix4
SolarWinds Orion Platform	=2020.2.6-hotfix5
SolarWinds Orion Platform	=2022.2
SolarWinds Orion Platform	=2022.3

Remedy

SolarWinds recommends customers upgrade to SolarWinds Platform version 2022.4 as soon as possible.

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2022-36957?
The severity of CVE-2022-36957 is high with a severity value of 7.2.
How can remote attackers exploit CVE-2022-36957?
Remote attackers can exploit CVE-2022-36957 by executing arbitrary code on affected installations of SolarWinds Network Performance Monitor.
Is authentication required to exploit CVE-2022-36957?
Yes, authentication is required to exploit CVE-2022-36957.
What is the specific flaw in CVE-2022-36957?
The specific flaw in CVE-2022-36957 is within the PropertyBagJsonConverter due to the lack of proper input validation.
Which software installations are affected by CVE-2022-36957?
The vulnerability affects installations of SolarWinds Network Performance Monitor versions up to and including 2020.2.6, 2020.2.6-hotfix1, 2020.2.6-hotfix2, 2020.2.6-hotfix3, 2020.2.6-hotfix4, 2020.2.6-hotfix5, 2022.2, and 2022.3.

collector/nvd-index
agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/author
agent/remedy
agent/severity
agent/title
agent/weakness
agent/last-modified-date
agent/tags
agent/description
agent/softwarecombine
agent/event
agent/first-publish-date
collector/zdi-advisory
source/ZDI
alias/ZDI-22-1460
alias/ZDI-CAN-17530
alias/CVE-2022-36957
agent/software-canonical-lookup
vendor/solarwinds
canonical/solarwinds orion platform
version/solarwinds orion platform/2020.2.6
version/solarwinds orion platform/2020.2.6-hotfix1
version/solarwinds orion platform/2020.2.6-hotfix2
version/solarwinds orion platform/2020.2.6-hotfix3
version/solarwinds orion platform/2020.2.6-hotfix4
version/solarwinds orion platform/2020.2.6-hotfix5
version/solarwinds orion platform/2022.2
version/solarwinds orion platform/2022.3
canonical/solarwinds network performance monitor