cvelistv5 - CVE-2022-38115

CVE-2022-38115 (GCVE-0-2022-38115)

Vulnerability from cvelistv5 – Published: 2022-11-23 00:00 – Updated: 2025-04-24 19:20

Title

Insecure Methods Vulnerability

Summary

Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-650

Assigner

SolarWinds

References

URL

Tags

	https://documentation.solarwinds.com/en/success_c…
	https://www.solarwinds.com/trust-center/security-…

Impacted products

	Vendor	Product	Version
	SolarWinds	SolarWinds SEM	Affected: 2022.2 and previous versions , < 2022.4 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:45:52.561Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-38115",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-24T19:20:39.443430Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-24T19:20:55.843Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SolarWinds SEM ",
          "vendor": "SolarWinds ",
          "versions": [
            {
              "lessThan": "2022.4 ",
              "status": "affected",
              "version": "2022.2 and previous versions ",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eInsecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\u003c/p\u003e"
            }
          ],
          "value": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\n\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-650",
              "description": "CWE-650",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-03T18:00:13.291Z",
        "orgId": "49f11609-934d-4621-84e6-e02e032104d6",
        "shortName": "SolarWinds"
      },
      "references": [
        {
          "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
        },
        {
          "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSolarWinds advises to upgrade to the latest version of SolarWinds SEM version 2022.4\u003c/p\u003e"
            }
          ],
          "value": "SolarWinds advises to upgrade to the latest version of SolarWinds SEM version 2022.4\n\n"
        }
      ],
      "source": {
        "advisory": "CVE-2022-38115",
        "discovery": "EXTERNAL"
      },
      "title": "Insecure Methods Vulnerability",
      "x_generator": {
        "engine": "vulnogram 0.1.0-rc1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6",
    "assignerShortName": "SolarWinds",
    "cveId": "CVE-2022-38115",
    "datePublished": "2022-11-23T00:00:00.000Z",
    "dateReserved": "2022-08-09T00:00:00.000Z",
    "dateUpdated": "2025-04-24T19:20:55.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:solarwinds:security_event_manager:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2022.2\", \"matchCriteriaId\": \"D8002390-7AB8-401D-B2CB-7DA9B19965E5\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\\n\\n\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de m\\u00e9todo inseguro en la que se revelan m\\u00e9todos HTTP permitidos. Por ejemplo, OPTIONS, DELETE, TRACE y PUT\"}]",
      "id": "CVE-2022-38115",
      "lastModified": "2024-11-21T07:15:49.413",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@solarwinds.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
      "published": "2022-11-23T17:15:10.237",
      "references": "[{\"url\": \"https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm\", \"source\": \"psirt@solarwinds.com\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115\", \"source\": \"psirt@solarwinds.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Vendor Advisory\"]}, {\"url\": \"https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "psirt@solarwinds.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"psirt@solarwinds.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-650\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-436\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-38115\",\"sourceIdentifier\":\"psirt@solarwinds.com\",\"published\":\"2022-11-23T17:15:10.237\",\"lastModified\":\"2024-11-21T07:15:49.413\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\\n\\n\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de m\u00e9todo inseguro en la que se revelan m\u00e9todos HTTP permitidos. Por ejemplo, OPTIONS, DELETE, TRACE y PUT\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@solarwinds.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"psirt@solarwinds.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-650\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-436\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:solarwinds:security_event_manager:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2022.2\",\"matchCriteriaId\":\"D8002390-7AB8-401D-B2CB-7DA9B19965E5\"}]}]}],\"references\":[{\"url\":\"https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm\",\"source\":\"psirt@solarwinds.com\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115\",\"source\":\"psirt@solarwinds.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Vendor Advisory\"]},{\"url\":\"https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T10:45:52.561Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-38115\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-04-24T19:20:39.443430Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-04-24T19:20:47.641Z\"}}], \"cna\": {\"title\": \"Insecure Methods Vulnerability\", \"source\": {\"advisory\": \"CVE-2022-38115\", \"discovery\": \"EXTERNAL\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SolarWinds \", \"product\": \"SolarWinds SEM \", \"versions\": [{\"status\": \"affected\", \"version\": \"2022.2 and previous versions \", \"lessThan\": \"2022.4 \", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"SolarWinds advises to upgrade to the latest version of SolarWinds SEM version 2022.4\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eSolarWinds advises to upgrade to the latest version of SolarWinds SEM version 2022.4\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm\"}, {\"url\": \"https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115\"}], \"x_generator\": {\"engine\": \"vulnogram 0.1.0-rc1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\\n\\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eInsecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-650\", \"description\": \"CWE-650\"}]}], \"providerMetadata\": {\"orgId\": \"49f11609-934d-4621-84e6-e02e032104d6\", \"shortName\": \"SolarWinds\", \"dateUpdated\": \"2023-08-03T18:00:13.291Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-38115\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-04-24T19:20:55.843Z\", \"dateReserved\": \"2022-08-09T00:00:00.000Z\", \"assignerOrgId\": \"49f11609-934d-4621-84e6-e02e032104d6\", \"datePublished\": \"2022-11-23T00:00:00.000Z\", \"assignerShortName\": \"SolarWinds\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

CERTFR-2022-AVI-1051

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits SolarWinds. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SolarWinds	N/A	Engineer’s Toolset (ETS) versions antérieures à 2022.4 Desktop
SolarWinds	Serv-U	Serv-U versions antérieures à 15.3.2
SolarWinds	Orion Platform	Orion Platform versions 2020.2.6 HF5 et antérieures
SolarWinds	Platform	SolarWinds Platform versions antérieures à 2022.4
SolarWinds	N/A	Security Event Manager (SEM) versions antérieures à 2022.4

References

Title

Publication Time

Tags

Bulletin de sécurité SolarWinds cve-2022-38113 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-36960 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-38106 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-38114 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-38115 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-36962 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2021-35246 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-36964 du 22 novembre 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Engineer\u2019s Toolset (ETS) versions ant\u00e9rieures \u00e0 2022.4 Desktop",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Serv-U versions ant\u00e9rieures \u00e0 15.3.2",
      "product": {
        "name": "Serv-U",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Orion Platform versions 2020.2.6 HF5 et ant\u00e9rieures",
      "product": {
        "name": "Orion Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "SolarWinds Platform versions ant\u00e9rieures \u00e0 2022.4",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Security Event Manager (SEM) versions ant\u00e9rieures \u00e0 2022.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-36964",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36964"
    },
    {
      "name": "CVE-2022-36962",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36962"
    },
    {
      "name": "CVE-2022-38115",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38115"
    },
    {
      "name": "CVE-2022-38114",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38114"
    },
    {
      "name": "CVE-2022-38113",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38113"
    },
    {
      "name": "CVE-2022-38106",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38106"
    },
    {
      "name": "CVE-2022-36960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36960"
    },
    {
      "name": "CVE-2021-35246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-35246"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-1051",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-11-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSolarWinds. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un contournement\nde la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SolarWinds",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-38113 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38113"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-36960 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36960"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-38106 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38106"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-38114 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38114"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-38115 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38115"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-36962 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36962"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2021-35246 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35246"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-36964 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36964"
    }
  ]
}

CERTFR-2022-AVI-1051

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
SolarWinds	N/A	Engineer’s Toolset (ETS) versions antérieures à 2022.4 Desktop
SolarWinds	Serv-U	Serv-U versions antérieures à 15.3.2
SolarWinds	Orion Platform	Orion Platform versions 2020.2.6 HF5 et antérieures
SolarWinds	Platform	SolarWinds Platform versions antérieures à 2022.4
SolarWinds	N/A	Security Event Manager (SEM) versions antérieures à 2022.4

References

Title

Publication Time

Tags

Bulletin de sécurité SolarWinds cve-2022-38113 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-36960 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-38106 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-38114 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-38115 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-36962 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2021-35246 du 22 novembre 2022	None	vendor-advisory
Bulletin de sécurité SolarWinds cve-2022-36964 du 22 novembre 2022	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Engineer\u2019s Toolset (ETS) versions ant\u00e9rieures \u00e0 2022.4 Desktop",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Serv-U versions ant\u00e9rieures \u00e0 15.3.2",
      "product": {
        "name": "Serv-U",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Orion Platform versions 2020.2.6 HF5 et ant\u00e9rieures",
      "product": {
        "name": "Orion Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "SolarWinds Platform versions ant\u00e9rieures \u00e0 2022.4",
      "product": {
        "name": "Platform",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    },
    {
      "description": "Security Event Manager (SEM) versions ant\u00e9rieures \u00e0 2022.4",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "SolarWinds",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2022-36964",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36964"
    },
    {
      "name": "CVE-2022-36962",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36962"
    },
    {
      "name": "CVE-2022-38115",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38115"
    },
    {
      "name": "CVE-2022-38114",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38114"
    },
    {
      "name": "CVE-2022-38113",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38113"
    },
    {
      "name": "CVE-2022-38106",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-38106"
    },
    {
      "name": "CVE-2022-36960",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-36960"
    },
    {
      "name": "CVE-2021-35246",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-35246"
    }
  ],
  "links": [],
  "reference": "CERTFR-2022-AVI-1051",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2022-11-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nSolarWinds. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un contournement\nde la politique de s\u00e9curit\u00e9 et une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits SolarWinds",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-38113 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38113"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-36960 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36960"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-38106 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38106"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-38114 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38114"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-38115 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38115"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-36962 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36962"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2021-35246 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35246"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 SolarWinds cve-2022-36964 du 22 novembre 2022",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36964"
    }
  ]
}

FKIE_CVE-2022-38115

Vulnerability from fkie_nvd - Published: 2022-11-23 17:15 - Updated: 2024-11-21 07:15

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT

References

URL	Tags
psirt@solarwinds.com	https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm	Release Notes, Vendor Advisory
psirt@solarwinds.com	https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm	Release Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115	Vendor Advisory

Impacted products

	Vendor	Product	Version
	solarwinds	security_event_manager	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:solarwinds:security_event_manager:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D8002390-7AB8-401D-B2CB-7DA9B19965E5",
              "versionEndExcluding": "2022.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\n\n"
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad de m\u00e9todo inseguro en la que se revelan m\u00e9todos HTTP permitidos. Por ejemplo, OPTIONS, DELETE, TRACE y PUT"
    }
  ],
  "id": "CVE-2022-38115",
  "lastModified": "2024-11-21T07:15:49.413",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "psirt@solarwinds.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-11-23T17:15:10.237",
  "references": [
    {
      "source": "psirt@solarwinds.com",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
    },
    {
      "source": "psirt@solarwinds.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
    }
  ],
  "sourceIdentifier": "psirt@solarwinds.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-650"
        }
      ],
      "source": "psirt@solarwinds.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-436"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2022-38115

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT

Aliases

CVE-2022-38115

Aliases

CVE-2022-38115

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-38115",
    "description": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT",
    "id": "GSD-2022-38115"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2022-38115"
      ],
      "details": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\n\n",
      "id": "GSD-2022-38115",
      "modified": "2023-12-13T01:19:22.287228Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "psirt@solarwinds.com",
        "ID": "CVE-2022-38115",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "SolarWinds SEM ",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "2022.2 and previous versions ",
                          "version_value": "2022.4 "
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "SolarWinds "
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\n\n"
          }
        ]
      },
      "generator": {
        "engine": "vulnogram 0.1.0-rc1"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-650",
                "lang": "eng",
                "value": "CWE-650"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm",
            "refsource": "MISC",
            "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
          },
          {
            "name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115",
            "refsource": "MISC",
            "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
          }
        ]
      },
      "solution": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSolarWinds advises to upgrade to the latest version of SolarWinds SEM version 2022.4\u003c/p\u003e"
            }
          ],
          "value": "SolarWinds advises to upgrade to the latest version of SolarWinds SEM version 2022.4\n\n"
        }
      ],
      "source": {
        "advisory": "CVE-2022-38115",
        "discovery": "EXTERNAL"
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:solarwinds:security_event_manager:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2022.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@solarwinds.com",
          "ID": "CVE-2022-38115"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT\n\n"
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-436"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
            },
            {
              "name": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Vendor Advisory"
              ],
              "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2023-08-03T19:15Z",
      "publishedDate": "2022-11-23T17:15Z"
    }
  }
}

CNVD-2022-86387

Vulnerability from cnvd - Published: 2022-12-06

Title

SolarWinds Security Event Manager存在未明漏洞

Description

SolarWinds Security Event Manager（SolarWinds SEM）是美国SolarWinds公司的一个安全事件管理器。用于取证和故障排除，以及帮助您管理日志数据的工具。 SolarWinds Security Event Manager 2022.2及其之前版本存在安全漏洞，该漏洞源于披露了HTTP操作方法。如，OPTIONS、DELETE、TRACE 和 PUT方法。攻击者可利用该漏洞影响系统的机密性，完整性或可用性。

Severity

中

Patch Name

SolarWinds Security Event Manager存在未明漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm

Reference

https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115

Impacted products

Name
Solarwinds SolarWinds Security Event Manager <=2022.2

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-38115",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-38115"
    }
  },
  "description": "SolarWinds Security Event Manager\uff08SolarWinds SEM\uff09\u662f\u7f8e\u56fdSolarWinds\u516c\u53f8\u7684\u4e00\u4e2a\u5b89\u5168\u4e8b\u4ef6\u7ba1\u7406\u5668\u3002\u7528\u4e8e\u53d6\u8bc1\u548c\u6545\u969c\u6392\u9664\uff0c\u4ee5\u53ca\u5e2e\u52a9\u60a8\u7ba1\u7406\u65e5\u5fd7\u6570\u636e\u7684\u5de5\u5177\u3002\n\nSolarWinds Security Event Manager 2022.2\u53ca\u5176\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u62ab\u9732\u4e86HTTP\u64cd\u4f5c\u65b9\u6cd5\u3002\u5982\uff0cOPTIONS\u3001DELETE\u3001TRACE \u548c PUT\u65b9\u6cd5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5f71\u54cd\u7cfb\u7edf\u7684\u673a\u5bc6\u6027\uff0c\u5b8c\u6574\u6027\u6216\u53ef\u7528\u6027\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-86387",
  "openTime": "2022-12-06",
  "patchDescription": "SolarWinds Security Event Manager\uff08SolarWinds SEM\uff09\u662f\u7f8e\u56fdSolarWinds\u516c\u53f8\u7684\u4e00\u4e2a\u5b89\u5168\u4e8b\u4ef6\u7ba1\u7406\u5668\u3002\u7528\u4e8e\u53d6\u8bc1\u548c\u6545\u969c\u6392\u9664\uff0c\u4ee5\u53ca\u5e2e\u52a9\u60a8\u7ba1\u7406\u65e5\u5fd7\u6570\u636e\u7684\u5de5\u5177\u3002\r\n\r\nSolarWinds Security Event Manager 2022.2\u53ca\u5176\u4e4b\u524d\u7248\u672c\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u62ab\u9732\u4e86HTTP\u64cd\u4f5c\u65b9\u6cd5\u3002\u5982\uff0cOPTIONS\u3001DELETE\u3001TRACE \u548c PUT\u65b9\u6cd5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5f71\u54cd\u7cfb\u7edf\u7684\u673a\u5bc6\u6027\uff0c\u5b8c\u6574\u6027\u6216\u53ef\u7528\u6027\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SolarWinds Security Event Manager\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Solarwinds SolarWinds Security Event Manager \u003c=2022.2"
  },
  "referenceLink": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115",
  "serverity": "\u4e2d",
  "submitTime": "2022-11-25",
  "title": "SolarWinds Security Event Manager\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

GHSA-4528-VMXJ-V97W

Vulnerability from github – Published: 2022-11-23 18:30 – Updated: 2022-11-28 18:30

Details

Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT

Severity ?

5.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2022-38115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-436",
      "CWE-650"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-11-23T17:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUT",
  "id": "GHSA-4528-vmxj-v97w",
  "modified": "2022-11-28T18:30:15Z",
  "published": "2022-11-23T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38115"
    },
    {
      "type": "WEB",
      "url": "https://documentation.solarwinds.com/en/success_center/sem/content/release_notes/sem_2022-4_release_notes.htm"
    },
    {
      "type": "WEB",
      "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-38115 (GCVE-0-2022-38115)

CERTFR-2022-AVI-1051

Solution

CERTFR-2022-AVI-1051

Solution

FKIE_CVE-2022-38115

GSD-2022-38115

CNVD-2022-86387

GHSA-4528-VMXJ-V97W

Tags

Sightings

Nomenclature