SolarWinds Access Rights Manager (ARM) deleteTransferFile Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability

(CVE-2024-23474)

Summary

The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.

We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

Affected Products

SolarWinds Access Rights Manager (ARM) 2023.2.4 and prior versions

Fixed Software Release

SolarWinds Access Rights Manager (ARM) 2024.3

Acknowledgments

Piotr Bazydlo working with Trend Micro Zero Day Initiative

Advisory Detail

Severity

7.6 High

Advisory ID

CVE-2024-23474

First Published

07/17/2024

Fixed Version

SolarWinds Access Rights Manager (ARM) 2024.3

CVSS Score

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H