SolarWinds patches several high-severity vulnerabilities in Serv-U and the SolarWinds Platform. The vulnerabilities affect Platform 2024.1 SR 1 and previous versions.
The first vulnerability tracked as CVE-2024-28996 with a CVSS score of 7.5 is a read-only subset of SQL, SWQL, which allows users to query the database for network information.
SolarWinds rolled out a hotfix for CVE-2024-28995, a high-severity directory transversal vulnerability in Serv-U that could allow attackers to read sensitive files on the host machine.
SolarWinds also addressed multiple vulnerabilities in third-party companies. The flaws, tracked as CVE-2024-28999 and CVE-2024-29004, are a race condition issue and a stored XSS bug in the web console.
It also fixed multiple bugs in third-party components, such as Angular, the public API function BIO_new_NDEF, the OpenSSL RSA Key generation algorithm, and the x86_64 Montgomery squaring procedure in OpenSSL.
The vulnerabilities impact SolarWinds Platform 2024.1 SR 1 and previous versions. Users are advised to update version 2024.2 of the platform as soon as possible. It also said that it wasn’t aware of any vulnerabilities exploited in the wild.
