SolarWinds ARM Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability (CVE-2024-23472)

Summary

SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.

We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

Affected Products

• SolarWinds Access Rights Manager (ARM) 2023.2.4 and prior versions

Fixed Software Release

• SolarWinds Access Rights Manager (ARM) 2024.3

Acknowledgments

• Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative