SolarWinds this week announced security updates for Access Rights Manager to address 13 vulnerabilities, including eight critical-severity bugs.
Six of the critical flaws – CVE-2024-23466, CVE-2024-23467, CVE-2024-23469, CVE-2024-23470, CVE-2024-23471, CVE-2024-28074 – could be exploited for remote code execution, the company warns.
The remaining two critical-severity issues, tracked as CVE-2024-23472 and CVE-2024-23475, are path traversal bugs that could allow attackers to read and delete arbitrary files.
All vulnerabilities were reported in January through Trend Micro’s Zero Day Initiative, which notes that authentication is not required to successfully exploit them.
Six of the vulnerabilities result from the lack of proper validation of user-supplied input, while two of them result from an exposed dangerous method and could allow attackers to execute code with System privileges.
It should be noted that, according to SolarWinds, these bugs have a CVSS score of 9.6, while ZDI lists all of them with a CVSS 3.0 score of 10.
The flaws impact Access Rights Manager version 2023.2.4 and prior releases and were addressed in Access Rights Manager version 2024.3, which was released on July 17.
The remaining five vulnerabilities resolved with the security update are high-severity issues that could allow attackers to perform arbitrary file deletion and information disclosure and to gain domain admin access.
Also reported via ZDI and tracked as CVE-2024-23465, CVE-2024-23468, CVE-2024-23474, CVE-2024-28992, CVE-2024-28993, the security defects have a lower CVSS score in SolarWinds’ advisories than in ZDI’s.
The same as with the critical flaws, these bugs result from the lack of proper validation of user-supplied input and from exposed dangerous methods.
Users are advised to update their Access Rights Manager as soon as possible. Additional information can be found on SolarWinds’ security advisories page and on ZDI’s published advisories page.
Access Rights Manager is used within enterprise environments to generate Active Directory (AD) and Azure AD reports, allowing administrators to manage users’ access rights and review access logs.
Related: Recent SolarWinds Serv-U Vulnerability Exploited in the Wild
Related: SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester
Related: Atlassian Patches High-Severity Vulnerabilities in Bamboo, Confluence, Jira
Related: GitLab Ships Update for Critical Pipeline Execution Vulnerability