Vulnerabilities > CVE-2019-18581 - Missing Authorization vulnerability in Dell products

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

dell

CWE-862

critical

NVD

Published: 2020-03-18

Updated: 2020-03-24

Summary

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system.

Vulnerable Configurations

Part	Description	Count
Application	Dell Dell EMC Data Protection Advisor 6.3 Dell EMC Data Protection Advisor 6.4 Dell EMC Data Protection Advisor 6.5 Dell EMC Data Protection Advisor 18.1 Dell EMC Data Protection Advisor 18.2 Dell EMC Data Protection Advisor 19.1	6
OS	Dell Dell EMC Integrated Data Protection Appliance Firmware 2.0 Dell EMC Integrated Data Protection Appliance Firmware 2.1 Dell EMC Integrated Data Protection Appliance Firmware 2.2 Dell EMC Integrated Data Protection Appliance Firmware 2.3 Dell EMC Integrated Data Protection Appliance Firmware 2.4	5
Hardware	Dell Dell EMC Idpa Dp4400 - Dell EMC Idpa Dp5800 - Dell EMC Idpa Dp8300 - Dell EMC Idpa Dp8800 -	4

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities