Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-23232

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale).

Published

2022-03-04T18:15:08.260

Last Modified

2024-11-21T06:48:14.080

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.9 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:S/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: SINGLE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

8.0

Impact Score

2.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	netapp	storagegrid	< 11.6.0	Yes

References

https://security.netapp.com/advisory/NTAP-20220303-0009/ Vendor Advisory ([email protected])
https://security.netapp.com/advisory/NTAP-20220303-0009/ Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)