Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-16791

In SolarWinds SFTP/SCP Server through 2018-09-10, the configuration file is world readable and writable, and stores user passwords in an insecure manner, allowing an attacker to determine passwords for potentially privileged accounts. This also grants the attacker an ability to backdoor the server.

Published

2018-12-05T22:29:00.227

Last Modified

2024-11-21T03:53:21.580

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-522

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	solarwinds	sftp\/scp_server	≤ 20180910	Yes

References

https://seclists.org/fulldisclosure/2018/Dec/0 Mailing List, Third Party Advisory ([email protected])
https://seclists.org/fulldisclosure/2018/Dec/0 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)