CVE-2019-18581 - Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 v

CVE-2019-18581

Summary

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system.

References

https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities

Vulnerable Configurations

cpe:2.3:a:dell:emc_data_protection_advisor:6.3:*:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:6.3:*:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:6.4:*:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:6.4:*:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:6.5:*:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:6.5:*:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:18.1:*:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:18.1:*:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:18.2:-:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:18.2:-:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:19.1:-:*:*:*:*:*:*
cpe:2.3:a:dell:emc_data_protection_advisor:19.1:-:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.0:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.0:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.1:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.1:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.2:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.2:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.3:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.3:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.4:*:*:*:*:*:*:*
cpe:2.3:o:dell:emc_integrated_data_protection_appliance_firmware:2.4:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_idpa_dp4400:-:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_idpa_dp4400:-:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_idpa_dp5800:-:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_idpa_dp5800:-:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_idpa_dp8300:-:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_idpa_dp8300:-:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_idpa_dp8800:-:*:*:*:*:*:*:*
cpe:2.3:h:dell:emc_idpa_dp8800:-:*:*:*:*:*:*:*

CVSS

Base:	9.0 (as of 24-03-2020 - 19:10)
Impact:
Exploitability:

CWE

CWE-862

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
COMPLETE	COMPLETE	COMPLETE

cvss-vector via4

AV:N/AC:L/Au:S/C:C/I:C/A:C

refmap via4

misc

https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities

Last major update

24-03-2020 - 19:10

Published

18-03-2020 - 19:15

Last modified

24-03-2020 - 19:10