CVE-2023-40056: 
SolarWinds Platform vulnerability analysis and mitigation

A SQL Injection Remote Code Execution Vulnerability (CVE-2023-40056) was discovered in the SolarWinds Platform. The vulnerability affects versions prior to 2023.4.2 and was disclosed on November 28, 2023. This security flaw can be exploited by attackers with low-privileged accounts to potentially execute arbitrary code (SolarWinds Advisory, NVD).

The vulnerability exists within the VimChartInfo class and stems from improper validation of user-supplied strings used in SQL query construction. It has received a CVSS v3.1 base score of 8.8 (High) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while SolarWinds assigned it a score of 8.0 (High) with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89 (SQL Injection) (ZDI Advisory, NVD).

An attacker can leverage this vulnerability to execute code in the context of SYSTEM, potentially leading to complete system compromise. The vulnerability affects confidentiality, integrity, and availability of the system, with potential for unauthorized access to sensitive data and system manipulation (ZDI Advisory).

SolarWinds has released version 2023.4.2 of the Platform to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk (Release Notes).

The vulnerability was responsibly disclosed by security researcher Alex Birnberg working with Trend Micro Zero Day Initiative. The discovery and coordinated disclosure process took place between October 19, 2023, and December 5, 2023 (ZDI Advisory).