CVE-2021-31475

Published: May 21, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Orion Job Scheduler 2020.2.1 HF 2. Authentication is required to exploit this vulnerability. The specific flaw exists within the JobRouterService WCF service. The issue is due to the WCF service configuration, which allows a critical resource to be accessed by unprivileged users. An attacker can leverage this vulnerability to execute code in the context of an administrator. Was ZDI-CAN-12007.

Affected (1)

Products: Solarwinds: Orion Job Scheduler

1 product

Orion Job Scheduler

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Solarwinds Orion Job Scheduler	Version 2020.2.1 hotfix2

Related CWEs

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (4)

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-5_release_notes.htm

Source: zdi-disclosures@trendmicro.com

Release NotesVendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-605/

Source: zdi-disclosures@trendmicro.com

Third Party AdvisoryVDB Entry

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-5_release_notes.htm

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-21-605/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

Timeline

No history available yet.