CVE-2023-40058: 
SolarWinds Access Rights Manager vulnerability analysis and mitigation

A sensitive data disclosure vulnerability (CVE-2023-40058) was identified in SolarWinds Access Rights Manager (ARM). The vulnerability was discovered when sensitive data was added to SolarWinds' public-facing knowledgebase that could potentially be used to access ARM components if the threat actor is in the same environment. This vulnerability affects Access Rights Manager (ARM) versions 2023.2.1 and earlier, with a fix available in version 2023.2.2 (SolarWinds Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The technical assessment indicates that the vulnerability requires Adjacent Network access, has Low attack complexity, requires No privileges, needs No user interaction, has an Unchanged scope, and can result in High confidentiality impact, with No impact on integrity or availability (NVD).

The primary impact of this vulnerability is the potential exposure of sensitive information to unauthorized actors. If exploited, the vulnerability could allow attackers within the same network environment to access components of Access Rights Manager (ARM) (ZDI Advisory).

SolarWinds has released version 2023.2.2 of Access Rights Manager (ARM) to address this vulnerability. Users are advised to upgrade to this version to mitigate the risk (SolarWinds Advisory).