Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-18582

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system.

Published

2020-03-18T19:15:16.623

Last Modified

2024-11-21T04:33:20.460

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.2 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.0

Impact Score

10.0

Weaknesses

Type: Secondary
CWE-94
Type: Primary
CWE-94

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	dell	emc_data_protection_advisor	6.3	Yes
Application	dell	emc_data_protection_advisor	6.4	Yes
Application	dell	emc_data_protection_advisor	6.5	Yes
Application	dell	emc_data_protection_advisor	18.1	Yes
Application	dell	emc_data_protection_advisor	18.2	Yes
Application	dell	emc_data_protection_advisor	19.1	Yes
Operating System	dell	emc_integrated_data_protection_appliance_firmware	2.0	Yes
Operating System	dell	emc_integrated_data_protection_appliance_firmware	2.1	Yes
Operating System	dell	emc_integrated_data_protection_appliance_firmware	2.2	Yes
Operating System	dell	emc_integrated_data_protection_appliance_firmware	2.3	Yes
Operating System	dell	emc_integrated_data_protection_appliance_firmware	2.4	Yes
Hardware	dell	emc_idpa_dp4400	-	No
Hardware	dell	emc_idpa_dp5800	-	No
Hardware	dell	emc_idpa_dp8300	-	No
Hardware	dell	emc_idpa_dp8800	-	No

References

https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities Vendor Advisory ([email protected])
https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)