CVE-2018-1250 - Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains an Authorization Bypass vuln

CVE-2018-1250

Summary

Dell EMC Unity and UnityVSA versions prior to 4.3.1.1525703027 contains an Authorization Bypass vulnerability. A remote authenticated user could potentially exploit this vulnerability to read files in NAS server by directly interacting with certain APIs of Unity OE, bypassing Role-Based Authorization control implemented only in Unisphere GUI.

References

https://seclists.org/fulldisclosure/2018/Sep/30

Vulnerable Configurations

cpe:2.3:o:dell:emc_unity_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_unity_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_unity:-:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_unity:-:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_unityvsa:*:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_unityvsa:*:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 09-10-2019 - 23:38)
Impact:
Exploitability:

CWE

CWE-863

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:N/A:N

refmap via4

fulldisc

20180918 DSA-2018-101: Dell EMC Unity Family Multiple Vulnerabilities

Last major update

09-10-2019 - 23:38

Published

28-09-2018 - 18:29

Last modified

09-10-2019 - 23:38