Multiple vulnerabilities in Dell EMC Unity Family, Dell EMC Unity XT Family
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 20 |
| CVE-ID | CVE-2019-11715 CVE-2019-10160 CVE-2019-9636 CVE-2018-20852 CVE-2019-6133 CVE-2018-18311 CVE-2019-11730 CVE-2019-11729 CVE-2019-11719 CVE-2019-11717 CVE-2019-11713 CVE-2019-11712 CVE-2019-11711 CVE-2019-11709 CVE-2019-9811 CVE-2019-13627 CVE-2019-13012 CVE-2019-5482 CVE-2019-12900 CVE-2016-3189 |
| CWE-ID | CWE-79 CWE-20 CWE-200 CWE-264 CWE-190 CWE-122 CWE-125 CWE-416 CWE-352 CWE-119 CWE-310 CWE-276 CWE-787 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #5 is available. Public exploit code for vulnerability #6 is available. |
| Vulnerable software Subscribe |
Dell EMC UnityVSA Operating Environment (OE) Hardware solutions / Other hardware appliances Dell EMC Unity XT Operating Environment (OE) Hardware solutions / Other hardware appliances Dell EMC Unity Operating Environment (OE) Hardware solutions / Other hardware appliances |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 20 vulnerabilities.
1) Cross-site scripting
EUVDB-ID: #VU33035
Risk: Low
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11715
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU20071
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10160
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user and password parts of a URL. This issue exists due to incorrect patch for previous issue described in SB2019030811 (CVE-2019-9636). A remote attacker can gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU18355
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9636
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input when processing data in Unicode encoding with an incorrect netloc during NFKC normalization. A remote attacker can gain access to sensitive information.
Install update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Information disclosure
EUVDB-ID: #VU19256
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-20852
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the "http.cookiejar.DefaultPolicy.domain_return_ok" in the "Lib/http/cookiejar.py" file returns incorrect results during cookie domain checks. A remote attacker can trick a victim to execute a program that uses the "http.cookiejar.DefaultPolicy" to make an HTTP connection to an attacker-controlled server with a hostname that has another valid hostname as a suffix.
Successful exploitation of this vulnerability can allow an attacker to gain unauthorized access to sensitive information on the system, such as existing cookies. Mitigation
Install update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Security restrictions bypass
EUVDB-ID: #VU16966
Risk: Low
CVSSv3.1: 6.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-6133
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to fork() is not atomic, and therefore authorization decisions are improperly cached, related to lack of uid checking in polkitbackend/polkitbackendinteractiveauthority.c. A remote unauthenticated attacker can bypass the "start time" protection mechanism
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
6) Integer overflow
EUVDB-ID: #VU16183
Risk: High
CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-18311
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in Perl_my_setenv when processing malicious input. A remote unauthenticated attacker can supply specially crafted data, trigger heap-based buffer overflow and cause the service to crash or execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
7) Information disclosure
EUVDB-ID: #VU33439
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11730
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
A vulnerability exists where if a user opens a locally saved HTML file, this file can use file: URIs to access other files in the same directory or sub-directories if the names are known or guessed. The Fetch API can then be used to read the contents of any files stored in these directories and they may uploaded to a server. It was demonstrated that in combination with a popular Android messaging app, if a malicious HTML attachment is sent to a user and they opened that attachment in Firefox, due to that app's predictable pattern for locally-saved file names, it is possible to read attachments the victim received from other correspondents. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Input validation error
EUVDB-ID: #VU23562
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11729
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing an empty or malformed p256-ECDH public keys. A remote attacker can trigger a segmentation fault and cause a denial of service condition on the target system.
Install update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU33037
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11719
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Input validation error
EUVDB-ID: #VU33036
Risk: Medium
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11717
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to manipulate data.
A vulnerability exists where the caret ("^") character is improperly escaped constructing some URIs due to it being used as a separator, allowing for possible spoofing of origin attributes. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Use-after-free
EUVDB-ID: #VU33034
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11713
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A use-after-free vulnerability can occur in HTTP/2 when a cached HTTP/2 stream is closed while still in use, resulting in a potentially exploitable crash. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Cross-site request forgery
EUVDB-ID: #VU33033
Risk: High
CVSSv3.1: 7.7 [AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11712
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform Cross-Site Request Forgery (CSRF) attacks. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Input validation error
EUVDB-ID: #VU33032
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11711
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
When an inner window is reused, it does not consider the use of document.domain for cross-origin protections. If pages on different subdomains ever cooperatively use document.domain, then either page can abuse this to inject script into arbitrary pages on the other subdomain, even those that did not use document.domain to relax their origin security. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Buffer overflow
EUVDB-ID: #VU33030
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-11709
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Mozilla developers and community members reported memory safety bugs present in Firefox 67 and Firefox ESR 60.7. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU33399
Risk: High
CVSSv3.1: 7.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9811
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
As part of a winning Pwn2Own entry, a researcher demonstrated a sandbox escape by installing a malicious language pack and then opening a browser feature that used the compromised translation. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Cryptographic issues
EUVDB-ID: #VU24721
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13627
CWE-ID:
CWE-310 - Cryptographic Issues
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform timing attack.
The vulnerability exists due to an error within the libgcrypt20 cryptographic library. A remote attacker can perform ECDSA timing attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Incorrect default permissions
EUVDB-ID: #VU18944
Risk: Low
CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-13012
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Heap-based buffer overflow
EUVDB-ID: #VU21059
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-5482
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the tftp_receive_packet() function when processing TFTP data. A remote attacker can send specially crafted TFTP response to the vulnerable curl client, trigger heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Out-of-bounds write
EUVDB-ID: #VU19178
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-12900
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Use-after-free memory corruption in bzip2recover
EUVDB-ID: #VU12
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-3189
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause the target application to crash.
The vulnerability exists due to an use-after-free error in bzip2recover when handling bzip2 files. A remote unauthenticated attacker can send a specially crafted bzip2 archive and cause the target application to crash.
Successful exploitation of this vulnerability will result in denial of service.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC UnityVSA Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity XT Operating Environment (OE): before 5.0.2.0.5.009
Dell EMC Unity Operating Environment (OE): before 5.0.2.0.5.009
External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
