CVE-2019-12864

SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the api2/swis/query?lang=en-us&swAlertOnError=false query parameter.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.esecforte.com/network-performance-monitor-india-esec-forte-technologies/	Exploit Third Party Advisory
https://www.solarwinds.com/network-performance-monitor	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:solarwinds:netpath:1.1.4:::::::*
	cpe:2.3:a:solarwinds:network_performance_monitor:12.4:::::::*
	cpe:2.3:a:solarwinds:orion_platform:2018.4:hotfix3::::::

History

No history.

Information

Published : 2020-05-04 14:15

Updated : 2024-02-28 17:47

NVD link : CVE-2019-12864

Mitre link : CVE-2019-12864

CVE.ORG link : CVE-2019-12864

JSON object : View

Products Affected

solarwinds

network_performance_monitor
orion_platform
netpath

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2019-12864", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-05-04T14:15:12.763", "references": [{"url": "https://www.esecforte.com/network-performance-monitor-india-esec-forte-technologies/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.solarwinds.com/network-performance-monitor", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "SolarWinds Orion Platform 2018.4 HF3 (NPM 12.4, NetPath 1.1.4) is vulnerable to Information Leakage, because of improper error handling with stack traces, as demonstrated by discovering a full pathname upon a 500 Internal Server Error via the api2/swis/query?lang=en-us&swAlertOnError=false query parameter."}, {"lang": "es", "value": "Orion Platform versi\u00f3n 2018.4 HF3 de SolarWinds (NPM versi\u00f3n 12.4, NetPath versi\u00f3n 1.1.4), es vulnerable a una Filtraci\u00f3n de Informaci\u00f3n, debido al manejo inapropiado de errores con rastros de pila, como es demostrado al detectar una ruta completa en un Error de Servidor Interno 500 mediante el par\u00e1metro query de api2/swis/query?lang=en-us&swAlertOnError=false."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:netpath:1.1.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F909CC55-E476-4D58-8169-5FE46670AFE6"}, {"criteria": "cpe:2.3:a:solarwinds:network_performance_monitor:12.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DCF8FA42-503B-4EDE-81B0-AE25A654E623"}, {"criteria": "cpe:2.3:a:solarwinds:orion_platform:2018.4:hotfix3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EADD78FC-8E9C-468F-BF35-76D29047898F"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}