CVE-2022-38108
Severity CVSS v4.0:
Pending analysis
Type:
CWE-502
Deserialization of Untrusted Dat
Publication date:
20/10/2022
Last modified:
08/05/2025
Description
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Impact
Base Score 3.x
7.20
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:* | 2020.2.6 (excluding) | |
| cpe:2.3:a:solarwinds:orion_platform:2020.2.6:-:*:*:*:*:*:* | ||
| cpe:2.3:a:solarwinds:orion_platform:2020.2.6:hotfix1:*:*:*:*:*:* | ||
| cpe:2.3:a:solarwinds:orion_platform:2020.2.6:hotfix2:*:*:*:*:*:* | ||
| cpe:2.3:a:solarwinds:orion_platform:2020.2.6:hotfix3:*:*:*:*:*:* | ||
| cpe:2.3:a:solarwinds:orion_platform:2020.2.6:hotfix4:*:*:*:*:*:* | ||
| cpe:2.3:a:solarwinds:orion_platform:2020.2.6:hotfix5:*:*:*:*:*:* | ||
| cpe:2.3:a:solarwinds:orion_platform:2022.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:solarwinds:orion_platform:2022.3:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/171567/SolarWinds-Information-Service-SWIS-Remote-Command-Execution.html
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108
- https://www.zerodayinitiative.com/advisories/ZDI-CAN-17531
- http://packetstormsecurity.com/files/171567/SolarWinds-Information-Service-SWIS-Remote-Command-Execution.html
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108
- https://www.zerodayinitiative.com/advisories/ZDI-CAN-17531
- https://packetstorm.news/files/id/171567