SB2024101733 - Multiple vulnerabilities in SolarWinds Serv-U
Published: October 17, 2024 Updated: November 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2024-45711)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the FTP service. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
2) Stored cross-site scripting (CVE-ID: CVE-2024-45714)
The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Use-after-free (CVE-ID: CVE-2024-4741)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error within the SSL_free_buffers() function. A remote attacker can trigger a use-after-free error and perform a denial of service (DoS) attack.
Note, the vulnerability affects only applications that call the vulnerable function.
4) Out-of-bounds read (CVE-ID: CVE-2024-5535)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition within the SSL_select_next_proto() function when using NPN. A remote attacker can send specially crafted data to the application, trigger an out-of-bounds read and perform a denial of service (DoS) attack.
5) Resource management error (CVE-ID: CVE-2024-4603)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when checking DSA keys and parameters. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-45711
- https://www.zerodayinitiative.com/advisories/ZDI-25-406/
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-45714
- https://documentation.solarwinds.com/en/Success_Center/servu/Content/release_notes/servu_15-5_release_notes.htm