SolarWinds announced security patches to address multiple high-severity vulnerabilities in Serv-U and the SolarWinds Platform. The vulnerabilities affect Platform 2024.1 SR 1 and previous versions.<\/p>\n\n\n\n
One of the vulnerabilities addressed by the company, tracked as CVE-2024-28996, was reported by a penetration tester working with NATO.
The flaw CVE-2024-28996 (CVSS score 7.5) was discovered by NATO Communications and Information Agency pentester Nils Putnins. The flaw is a read-only subset of SQL, SWQL, which allows users to query the SolarWinds database for network information. According to the advisory, the attack complexity is high.<\/p>\n\n\n\n
The company also addressed multiple vulnerabilities in third-party companies. The flaws, tracked as CVE-2024-28999 (CVSS score 6.4) and CVE-2024-29004 (CVSS score 7.1), are a race condition issue and a stored XSS bug in the web console, respectively.
The company fixed multiple bugs in third-party components, such as Angular, the public API function BIO_new_NDEF, the OpenSSL RSA Key generation algorithm, and the x86_64 Montgomery squaring procedure in OpenSSL.<\/p>\n\n\n\n
The company released version 2024.2<\/a> that addressed the above vulnerabilities.<\/p>\n\n\n\n
Pierluigi\u00a0Paganini<\/strong><\/a>
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking,\u00a0SolarWinds<\/a>)<\/strong>