Multiple vulnerabilities in Dell EMC AppSync



Published: 2022-09-26
Risk High
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2019-12900
CVE-2016-3189
CVE-2021-33503
CVE-2021-3712
CWE-ID CWE-787
CWE-416
CWE-400
CWE-125
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Dell EMC AppSync
Web applications / Remote management & hosting panels

Vendor Dell

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Out-of-bounds write

EUVDB-ID: #VU19178

Risk: High

CVSSv3.1:

CVE-ID: CVE-2019-12900

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the BZ2_decompress() function in decompress.c. A remote attacker can create a specially crafted archive, trick the victim into opening it using the affected library, trigger out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC AppSync: before 4.4.1.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/fr-fr/printview/000199436/10/en

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Use-after-free memory corruption in bzip2recover

EUVDB-ID: #VU12

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2016-3189

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause the target application to crash.

The vulnerability exists due to an use-after-free error in bzip2recover when handling bzip2 files. A remote unauthenticated attacker can send a specially crafted bzip2 archive and cause the target application to crash.

Successful exploitation of this vulnerability will result in denial of service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC AppSync: before 4.4.1.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/fr-fr/printview/000199436/10/en

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

3) Resource exhaustion

EUVDB-ID: #VU54077

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-33503

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation in urllib3 when processing URL with multiple "@" characters in the authority component. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC AppSync: before 4.4.1.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/fr-fr/printview/000199436/10/en

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

4) Out-of-bounds read

EUVDB-ID: #VU56064

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-3712

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing ASN.1 strings related to a confusion with NULL termination of strings in array. A remote attacker can pass specially crafted data to the application to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell EMC AppSync: before 4.4.1.0


CPE2.3
External links

http://www.dell.com/support/kbdoc/fr-fr/printview/000199436/10/en

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###