Risk | Critical |
Patch available | YES |
Number of vulnerabilities | 24 |
CVE-ID | CVE-2022-25235 CVE-2022-21496 CVE-2022-21476 CVE-2022-21449 CVE-2022-21443 CVE-2022-21434 CVE-2022-21426 CVE-2022-25315 CVE-2022-25314 CVE-2022-25313 CVE-2022-25236 CVE-2022-24407 CVE-2020-29651 CVE-2022-23648 CVE-2022-0778 CVE-2021-3800 CVE-2022-22978 CVE-2022-22970 CVE-2022-22968 CVE-2022-22965 CVE-2022-22950 CVE-2021-43466 CVE-2021-33503 CVE-2020-36242 |
CWE-ID | CWE-94 CWE-20 CWE-190 CWE-121 CWE-89 CWE-400 CWE-264 CWE-835 CWE-200 CWE-285 CWE-254 CWE-185 |
Exploitation vector | Network |
Public exploit |
Public exploit code for vulnerability #4 is available. Public exploit code for vulnerability #14 is available. Public exploit code for vulnerability #15 is available. Public exploit code for vulnerability #17 is available. Public exploit code for vulnerability #19 is available. Vulnerability #20 is being exploited in the wild. |
Vulnerable software Subscribe |
Dell Policy Manager for Secure Connect Gateway (SCG) Other software / Other software solutions |
Vendor | Dell |
Security Bulletin
This security bulletin contains information about 24 vulnerabilities.
EUVDB-ID: #VU60736
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25235
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the affected application lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU62400
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21496
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the JNDI component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU62398
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21476
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU62397
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-21449
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU62402
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21443
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU62401
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21434
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
The vulnerability exists due to improper input validation within the Libraries component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU62399
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-21426
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform service disruption.
The vulnerability exists due to improper input validation within the JAXP component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU60739
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25315
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in storeRawNames function. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU60738
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25314
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow in copyString. A remote attacker can pass specially crafted data to the application, trigger integer overflow and cause a denial of service condition on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU60737
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25313
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in build_model. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU60733
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-25236
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper protection against insertion of namesep characters into namespace URIs in xmlparse.c. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU60842
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-24407
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of password in the SQL plugin shipped with Cyrus SASL. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65859
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-29651
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can preform compute-time denial of service attack by supplying malicious input to the blame functionality.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU60972
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-23648
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error when handling specially crafted image configuration in containerd where containers launched through containerd’s CRI implementation. A remote attacker can bypass any policy-based enforcement on container setup and access the read-only copies of arbitrary files and directories on the host.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU61391
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-0778
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the BN_mod_sqrt() function when processing an ASN.1 certificate that contains elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. A remote attacker can supply a specially crafted certificate to the TLS server or client, consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU65849
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3800
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can trick the victim into opening a specially crafted file to gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU63345
Risk: High
CVSSv3.1: 7.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-22978
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to input validation error when processing untrusted input in applications that are using RegexRequestMatcher with `.` in the regular expression. A remote non-authenticated attacker can bypass authorization checks.
Install update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU63084
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22970
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input within the Spring MVC or Spring WebFlux applications. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU62314
Risk: Medium
CVSSv3.1: 4.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2022-22968
CWE-ID:
CWE-254 - Security Features
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to patterns for disallowedFields on a DataBinder are case sensitive, which means a field is not effectively protected unless it is listed
with both upper and lower case for the first character of the field,
including upper and lower case for the first character of all nested
fields within the property path. A remote attacker can bypass implemented security restrictions by passing case sensitive data to the application.
Install update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
EUVDB-ID: #VU61756
Risk: Critical
CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2022-22965
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted HTTP request to the affected application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Note, the vulnerability is being actively exploited in the wild.
This vulnerability was dubbed "Spring4Shell".
Install update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
EUVDB-ID: #VU61760
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-22950
CWE-ID:
CWE-185 - Incorrect Regular Expression
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due improper input validation when processing SpEL expressions. A remote attacker can send a specially crafted HTTP request to the affected application and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU65888
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-43466
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU54077
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-33503
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in urllib3 when processing URL with multiple "@" characters in the authority component. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU50990
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-36242
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow when processing certain sequences of update calls to symmetrically encrypt multi-GB values. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell Policy Manager for Secure Connect Gateway (SCG): 5.10.00.00
External linkshttp://www.dell.com/support/kbdoc/nl-nl/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
http://www.dell.com/support/kbdoc/en-us/000201859/dsa-2022-198-dell-emc-policy-manager-for-secure-connect-gateway-security-update-for-multiple-third-party-component-vulnerabilities
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.