CVE-2022-36961 - Vulnerability Details - OpenCVE

A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.11775.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Solarwinds Subscribe	Orion Platform Subscribe

Configuration 1 [-]

cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)

Workaround

No workaround given by the vendor.

References

Link	Providers
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm
https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961

History

Wed, 21 May 2025 01:15:00 +0900

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 17 Sep 2024 05:45:00 +0900

Type	Values Removed	Values Added
Description	A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.	A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: SolarWinds

Published: 2022-09-30T16:06:10.288Z

Updated: 2025-05-20T16:01:34.479Z

Reserved: 2022-07-27T00:00:00.000Z

Link: CVE-2022-36961

Vulnrichment

Updated: 2024-08-03T10:21:32.333Z

NVD

Status : Modified

Published: 2022-09-30T17:15:13.010

Modified: 2024-11-21T07:14:09.720

Link: CVE-2022-36961

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-89

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Orion Platform", "vendor": "SolarWinds", "versions": [{"lessThan": "2022.2.3", "status": "affected", "version": "2022.2.3 and previous versions", "versionType": "custom"}]}], "datePublic": "2022-09-27T16:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.</p>"}], "value": "A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T16:46:36.401Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)</p>"}], "value": "All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)"}], "source": {"defect": ["CVE-2022-36961"], "discovery": "UNKNOWN"}, "title": "Orion Platform SQL Injection Privilege Escalation Vulnerability", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@solarwinds.com", "DATE_PUBLIC": "2022-09-28T14:35:00.000Z", "ID": "CVE-2022-36961", "STATE": "PUBLIC", "TITLE": "Orion Platform SQL Injection Privilege Escalation Vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Orion Platform", "version": {"version_data": [{"version_affected": "<", "version_name": "2022.2.3 and previous versions", "version_value": "2022.2.3"}]}}]}, "vendor_name": "SolarWinds"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961", "refsource": "CONFIRM", "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}, {"name": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm", "refsource": "CONFIRM", "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}]}, "solution": [{"lang": "en", "value": "All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)"}], "source": {"defect": ["CVE-2022-36961"], "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:21:32.333Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-20T16:01:28.039621Z", "id": "CVE-2022-36961", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T16:01:34.479Z"}}]}, "cveMetadata": {"assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "assignerShortName": "SolarWinds", "cveId": "CVE-2022-36961", "datePublished": "2022-09-30T16:06:10.288Z", "dateReserved": "2022-07-27T00:00:00.000Z", "dateUpdated": "2025-05-20T16:01:34.479Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm", "tags": ["x_refsource_CONFIRM", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:21:32.333Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2022-36961", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-20T16:01:28.039621Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-20T16:01:31.161Z"}}], "cna": {"title": "Orion Platform SQL Injection Privilege Escalation Vulnerability", "source": {"defect": ["CVE-2022-36961"], "discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SolarWinds", "product": "Orion Platform", "versions": [{"status": "affected", "version": "2022.2.3 and previous versions", "lessThan": "2022.2.3", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)", "supportingMedia": [{"type": "text/html", "value": "<p>All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)</p>", "base64": false}]}], "datePublic": "2022-09-27T16:00:00.000Z", "references": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm", "tags": ["x_refsource_CONFIRM"]}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "descriptions": [{"lang": "en", "value": "A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.", "supportingMedia": [{"type": "text/html", "value": "<p>A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 SQL Injection"}]}], "providerMetadata": {"orgId": "49f11609-934d-4621-84e6-e02e032104d6", "shortName": "SolarWinds", "dateUpdated": "2023-08-03T16:46:36.401Z"}, "x_legacyV4Record": {"impact": {"cvss": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, "source": {"defect": ["CVE-2022-36961"], "discovery": "UNKNOWN"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"version": {"version_data": [{"version_name": "2022.2.3 and previous versions", "version_value": "2022.2.3", "version_affected": "<"}]}, "product_name": "Orion Platform"}]}, "vendor_name": "SolarWinds"}]}}, "solution": [{"lang": "en", "value": "All SolarWinds Platform customers are advised to upgrade to the latest generally available service update. (SolarWinds Platform)"}], "data_type": "CVE", "generator": {"engine": "Vulnogram 0.0.9"}, "references": {"reference_data": [{"url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961", "name": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961", "refsource": "CONFIRM"}, {"url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm", "name": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm", "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "eng", "value": "A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2022-36961", "STATE": "PUBLIC", "TITLE": "Orion Platform SQL Injection Privilege Escalation Vulnerability", "ASSIGNER": "psirt@solarwinds.com", "DATE_PUBLIC": "2022-09-28T14:35:00.000Z"}}}}, "cveMetadata": {"cveId": "CVE-2022-36961", "state": "PUBLISHED", "dateUpdated": "2025-05-20T16:01:34.479Z", "dateReserved": "2022-07-27T00:00:00.000Z", "assignerOrgId": "49f11609-934d-4621-84e6-e02e032104d6", "datePublished": "2022-09-30T16:06:10.288Z", "assignerShortName": "SolarWinds"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:orion_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "B721D56C-DD6B-4C63-8438-5B888332D9B6", "versionEndIncluding": "2022.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerable component of Orion Platform was vulnerable to SQL Injection, an authenticated attacker could leverage this for privilege escalation or remote code execution."}, {"lang": "es", "value": "Un verbo usado en Orion era vulnerable a una inyecci\u00f3n de SQL, un atacante autenticado podr\u00eda aprovechar esto para la escalada de privilegios o una ejecuci\u00f3n de c\u00f3digo remota"}], "id": "CVE-2022-36961", "lastModified": "2024-11-21T07:14:09.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "psirt@solarwinds.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-30T17:15:13.010", "references": [{"source": "psirt@solarwinds.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}, {"source": "psirt@solarwinds.com", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2022-3_release_notes.htm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961"}], "sourceIdentifier": "psirt@solarwinds.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "psirt@solarwinds.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}