CVE-2024-28986

2024-08-1323:15:16

CWE-502

[email protected]

web.nvd.nist.gov

solarwinds

help desk

java deserialization

rce

vulnerability

patch

authentication

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.03

Percentile

91.1%

JSON

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.

While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.

However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Affected configurations

Nvd

Node

solarwindsweb_help_deskRange≤12.8.2

solarwindsweb_help_deskMatch12.8.3-

VendorProductVersionCPE
solarwindsweb_help_desk*cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:*
solarwindsweb_help_desk12.8.3cpe:2.3:a:solarwinds:web_help_desk:12.8.3:-:*:*:*:*:*:*

Vendor	Product	Version	CPE
solarwinds	web_help_desk	*	cpe:2.3:a:solarwinds:web_help_desk::::::::
solarwinds	web_help_desk	12.8.3	cpe:2.3:a:solarwinds:web_help_desk:12.8.3:-::::::