Multiple vulnerabilities in Dell EMC ECS



Risk High
Patch available YES
Number of vulnerabilities 49
CVE-ID CVE-2020-2756
CVE-2020-2816
CVE-2020-2781
CVE-2020-2830
CVE-2020-2767
CVE-2020-2800
CVE-2020-2778
CVE-2020-2764
CVE-2020-2754
CVE-2020-2755
CVE-2020-2773
CVE-2020-2757
CVE-2020-2805
CVE-2020-14664
CVE-2020-14583
CVE-2020-14593
CVE-2020-14562
CVE-2020-14621
CVE-2020-14556
CVE-2020-14573
CVE-2020-14581
CVE-2020-14578
CVE-2020-14579
CVE-2020-14577
CVE-2019-18197
CVE-2020-2803
CVE-2020-8718
CVE-2020-8708
CVE-2020-8730
CVE-2020-8731
CVE-2020-8707
CVE-2020-8719
CVE-2020-8721
CVE-2020-8710
CVE-2020-8711
CVE-2020-8712
CVE-2020-8722
CVE-2020-5366
CVE-2020-8732
CVE-2020-8709
CVE-2020-8723
CVE-2020-8713
CVE-2020-8706
CVE-2020-8729
CVE-2020-8715
CVE-2020-8716
CVE-2020-8714
CVE-2020-8717
CVE-2020-8720
CWE-ID CWE-20
CWE-119
CWE-287
CWE-122
CWE-264
CWE-284
CWE-22
CWE-79
CWE-824
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
EMC ECS
Other software / Other software solutions

Vendor Dell

Security Bulletin

This security bulletin contains information about 49 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU27230

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2756

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper input validation

EUVDB-ID: #VU27220

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2816

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Improper input validation

EUVDB-ID: #VU27221

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2781

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the JSSE component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Improper input validation

EUVDB-ID: #VU27222

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2830

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Concurrency component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper input validation

EUVDB-ID: #VU27223

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2767

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper input validation

EUVDB-ID: #VU27224

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2800

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Lightweight HTTP Server component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper input validation

EUVDB-ID: #VU27225

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2778

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JSSE component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Improper input validation

EUVDB-ID: #VU27226

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2764

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the Advanced Management Console component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Improper input validation

EUVDB-ID: #VU27227

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2754

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Improper input validation

EUVDB-ID: #VU27228

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2755

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Scripting component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper input validation

EUVDB-ID: #VU27229

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2773

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Security component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Improper input validation

EUVDB-ID: #VU27231

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2757

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Serialization component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Improper input validation

EUVDB-ID: #VU27219

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2805

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Improper input validation

EUVDB-ID: #VU30071

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14664

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the JavaFX component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Improper input validation

EUVDB-ID: #VU30065

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14583

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Improper input validation

EUVDB-ID: #VU30072

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14593

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Improper input validation

EUVDB-ID: #VU30073

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14562

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the ImageIO component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Improper input validation

EUVDB-ID: #VU30074

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14621

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the JAXP component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Improper input validation

EUVDB-ID: #VU30075

Risk: Medium

CVSSv3.1: 4.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14556

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Improper input validation

EUVDB-ID: #VU30076

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14573

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

The vulnerability exists due to improper input validation within the Hotspot component in Java SE. A remote non-authenticated attacker can exploit this vulnerability to manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Improper input validation

EUVDB-ID: #VU30077

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14581

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the 2D component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Improper input validation

EUVDB-ID: #VU30078

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14578

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Improper input validation

EUVDB-ID: #VU30079

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14579

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The vulnerability exists due to improper input validation within the Libraries component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to perform service disruption.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Improper input validation

EUVDB-ID: #VU30080

Risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-14577

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the JSSE component in Java SE Embedded. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Buffer overflow

EUVDB-ID: #VU21942

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18197

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the xsltCopyText() function in transform.c in libxslt. A remote attacker can create a specially crafted XML document, pass it to the affected application, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Improper input validation

EUVDB-ID: #VU27212

Risk: High

CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-2803

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The vulnerability exists due to improper input validation within the Java component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

27) Buffer overflow

EUVDB-ID: #VU45713

Risk: Low

CVSSv3.1: 6.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8718

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in a subsystem. A local user can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

28) Improper Authentication

EUVDB-ID: #VU45704

Risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8708

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests. A remote attacker on the local network can bypass authentication process and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

29) Heap-based Buffer Overflow

EUVDB-ID: #VU45705

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8730

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A local user can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

30) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU45706

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8731

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

31) Buffer overflow

EUVDB-ID: #VU45707

Risk: Medium

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8707

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in daemon. A remote attacker on the local network can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

32) Buffer overflow

EUVDB-ID: #VU45708

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8719

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in subsystem. A local administrator can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

33) Improper Input Validation

EUVDB-ID: #VU45709

Risk: Low

CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8721

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to insufficient validation of user-supplied input. A local user can pass specially crafted input to the application and gain elevated privileges on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

34) Buffer overflow

EUVDB-ID: #VU45710

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8710

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the bootloader. A local administrator can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

35) Improper Access Control

EUVDB-ID: #VU45711

Risk: Low

CVSSv3.1: 5.8 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8711

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions in the bootloader. A local administrator can bypass implemented security restrictions and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

36) Buffer overflow

EUVDB-ID: #VU45712

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8712

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in a verification process. A local user can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

37) Buffer overflow

EUVDB-ID: #VU45714

Risk: Low

CVSSv3.1: 5.6 [CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8722

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in a subsystem. A local administrator can trigger memory corruption and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

38) Path traversal

EUVDB-ID: #VU45801

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-5366

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote authenticated user can send a specially crafted HTTP request and read arbitrary files on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

39) Heap-based Buffer Overflow

EUVDB-ID: #VU45715

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8732

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the firmware. A remote attacker on the local network can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system with elevated privileges.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

40) Improper Authentication

EUVDB-ID: #VU45716

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8709

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests in socket services. A remote attacker on the local network can bypass authentication process and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

41) Cross-site scripting

EUVDB-ID: #VU45717

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8723

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker on the local network can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

42) Improper Authentication

EUVDB-ID: #VU45718

Risk: Low

CVSSv3.1: 3 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8713

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. A remote attacker on the local network can bypass authentication process and gain elevated privileges on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

43) Buffer overflow

EUVDB-ID: #VU45719

Risk: Low

CVSSv3.1: 4.1 [CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8706

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to a boundary error in a daemon. A remote attacker on the local network can trigger memory corruption and gain elevated privileges on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

44) Buffer overflow

EUVDB-ID: #VU45720

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8729

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error. A local user can trigger memory corruption and gain elevated privileges on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

45) Access of Uninitialized Pointer

EUVDB-ID: #VU45721

Risk: Low

CVSSv3.1: 5 [CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8715

CWE-ID: CWE-824 - Access of Uninitialized Pointer

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an invalid pointer. A local user can cause a denial of service condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

46) Improper Access Control

EUVDB-ID: #VU45722

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8716

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A local user can bypass implemented security restrictions and cause a denial of service (DoS) condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

47) Improper Authentication

EUVDB-ID: #VU45723

Risk: Low

CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8714

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a local user to bypass authentication process.

The vulnerability exists due to an error when processing authentication requests. A local user can bypass authentication process and gain elevated privileges on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

48) Improper Input Validation

EUVDB-ID: #VU45724

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8717

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of servise (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in a subsystem. A local user can pass specially crafted input to the application and cause a denial of service condition on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

49) Buffer overflow

EUVDB-ID: #VU45725

Risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-8720

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error subsystem. A local administrator can trigger memory corruption and cause a denial of service on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

EMC ECS: before 3.6

CPE2.3
External links

http://www.dell.com/support/kbdoc/en-us/000181580/dsa-2020-269-dell-emc-ecs-security-update-for-multiple-third-party-component-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###