VDB

GCVE-110-CERTCC-2020-843464

GCVE-110-CERTCC-2020-843464
Advisory Published
Vulnetix · Advisory published December 26, 2020
### Overview The SolarWinds Orion API is vulnerable to authentication bypass that could allow a remote attacker to execute API commands. ### Description The [SolarWinds Orion Platform](https://www.solarwinds.com/solutions/orion) is a suite of infrastructure and system monitoring and management products. The [SolarWinds Orion API](https://support.solarwinds.com/SuccessCenter/s/article/Support-for-Orion-SDK-and-other-API-related-tools) is embedded into the Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the [`Request.PathInfo`](https://docs.microsoft.com/en-us/dotnet/api/system.web.httprequest.pathinfo?view=netframework-4.8) portion of a URI request, which could allow an attacker to execute unauthenticated API commands. In particular, if an attacker appends a `PathInfo` parameter of `WebResource.axd`, `ScriptResource.axd`, `i18n.ashx`, or `Skipi18n` to a request to a SolarWinds Orion server, SolarWinds may set the [SkipAuthorization](https://docs.microsoft.com/en-us/dotnet/api/system.web.httpcontext.skipauthorization) flag, which may allow the API request to be processed without requiring authentication. This vulnerability, also known as CVE-2020-10148, is the vulnerability that SolarWinds has [indicated](https://www.solarwinds.com/securityadvisory#anchor2) to have been used to install the malware known as SUPERNOVA. We have created a python3 script to check for vulnerable SolarWinds Orion servers: [swcheck.py](https://kb.cert.org/static-bigvince-prod-kb-eb/swcheck.py) ### Impact This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. ### Solution **Apply an Update** Users should update to the relevant versions of the SolarWinds Orion Platform: * 2019.4 HF 6 (released December 14, 2020) * 2020.2.1 HF 2 (released December 15, 2020) * 2019.2 SUPERNOVA Patch (released December 23, 2020) * 2018.4 SUPERNOVA Patch (released December 23, 2020) * 2018.2 SUPERNOVA Patch (released December 23, 2020) More information can be found in the [SolarWinds Security Advisory](https://www.solarwinds.com/securityadvisory#anchor2). **Harden the IIS Server** Especially in cases when updates cannot be installed, we recommend that users implement [these mitigations](https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip) to harden the IIS server. ### Acknowledgements This document was written by Madison Oliver and Will Dormann.

Browse GCVE Records

72,921 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›