June 7, 2024 at 02:23PM
SolarWinds released version 2024.2 with new features, upgrades, and security patches. This includes fixing high-severity SWQL injection bug (CVE-2024-28996), reported by a NATO-affiliated penetration tester. Other flaws fixed are a high-severity cross-site scripting flaw (CVE-2024-29004) and a medium-severity race condition vulnerability. The update also enhances map functionality and overall stability.
From the meeting notes, it is clear that SolarWinds has released version 2024.2, which includes several new features, upgrades, and security patches. The update addresses three vulnerabilities, including a high-severity SWQL injection bug (CVE-2024-28996, CVSS 7.5), a high-severity cross-site scripting flaw (CVE-2024-29004, CVSS 7.1), and a medium-severity race condition vulnerability affecting the Web console (CVE-2024-28999, CVSS 7.1). Nils Putnins, a penetration tester affiliated with NATO, reported the SWQL injection bug to SolarWinds security.
The new version also includes enhancements in map functionality, stability, performance, and user experience. While SolarWinds did not confirm if the vulnerabilities were exploited in the wild, it did mention that the “attack complexity is high” regarding the highest-severity CVE. It’s important to note that a SolarWinds vulnerability was infamously exploited in 2020, impacting numerous high-profile organizations and US federal government agencies.