CVE-2024-23468: 
SolarWinds Access Rights Manager vulnerability analysis and mitigation

The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal and Information Disclosure Vulnerability (CVE-2024-23468). This vulnerability, discovered in January 2024 and disclosed in July 2024, affects ARM version 2023.2.4 and prior releases. The vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information (Release Notes).

The specific flaw exists within the deleteTransferFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. The vulnerability has received a CVSS 3.1 base score of 7.6 HIGH, with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (ZDI Advisory, NVD).

An attacker can leverage this vulnerability to delete files and disclose information in the context of a highly privileged domain user. The vulnerability poses a significant risk to organizations using affected versions of Access Rights Manager, as it could lead to unauthorized access to sensitive information and system file manipulation (ZDI Advisory).

SolarWinds has released version 2024.3 of Access Rights Manager on July 17, 2024, which addresses this vulnerability along with several other security issues. Users are strongly advised to update their Access Rights Manager installations to this version as soon as possible (Release Notes).