SolarWinds Storage Resource Monitor Profiler < 6.2.3 Hotfix 1 RulesMetaData SQLi RCE

Critical Nessus Plugin ID 91917


A web application running on the remote host is affected by a remote code execution vulnerability.


The version of SolarWinds Storage Resource Monitor (SRM) Profiler (formerly SolarWinds Storage Manager) running on the remote host is prior to 6.2.3 Hotfix 1. It is, therefore, affected by a remote code execution vulnerability in ScriptServlet due to a failure to sanitize user-supplied input to the addNewRule() method of RulesMetaData. An unauthenticated, remote attacker can exploit this, via SQL injection, to disclose or manipulate arbitrary data in the back-end database or to execute arbitrary code with SYSTEM privileges.


Upgrade to SolarWinds SRM Profiler version 6.2.3 Hotfix 1 or later.

See Also

Plugin Details

Severity: Critical

ID: 91917

File Name: solarwinds_srm_profiler_6_2_3_hotfix_1.nasl

Version: $Revision: 1.3 $

Type: local

Agent: windows

Family: Windows

Published: 2016/07/04

Modified: 2016/08/15

Dependencies: 77503

Risk Information

Risk Factor: Critical


Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND

Vulnerability Information

CPE: cpe:/a:solarwinds:storage_manager, cpe:/a:solarwinds:storage_resource_monitor

Required KB Items: installed_sw/SolarWinds Storage Manager

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/06/10

Vulnerability Publication Date: 2016/06/10

Reference Information

OSVDB: 140424

ZDI: ZDI-16-374

IAVA: 2016-A-0166