Multiple vulnerabilities in Dell ObjectScale
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 71 |
| CVE-ID | CVE-2022-21713 CVE-2022-23524 CVE-2022-23525 CVE-2022-23526 CVE-2022-29170 CVE-2021-43815 CVE-2022-21703 CVE-2022-41721 CVE-2022-45685 CVE-2021-31525 CVE-2020-29652 CVE-2020-7919 CVE-2020-28366 CVE-2021-33197 CVE-2020-15586 CVE-2020-28367 CVE-2021-46877 CVE-2022-45693 CVE-2020-29510 CVE-2023-20861 CVE-2023-0433 CVE-2023-0512 CVE-2023-1170 CVE-2023-1175 CVE-2023-20863 CVE-2023-20860 CVE-2023-1436 CVE-2022-1471 CVE-2022-40898 CVE-2022-37454 CVE-2021-22570 CVE-2022-3171 CVE-2022-3510 CVE-2022-3509 CVE-2021-33195 CVE-2021-27918 CVE-2022-41903 CVE-2021-21300 CVE-2022-24975 CVE-2022-24765 CVE-2022-29187 CVE-2022-39253 CVE-2022-39260 CVE-2022-23521 CVE-2023-25153 CVE-2023-22490 CVE-2023-23946 CVE-2023-28319 CVE-2022-32221 CVE-2020-36242 CVE-2021-37533 CVE-2023-25173 CVE-2023-28840 CVE-2021-34558 CVE-2021-36221 CVE-2021-39293 CVE-2021-33196 CVE-2021-33198 CVE-2020-28362 CVE-2020-16845 CVE-2021-41771 CVE-2020-14039 CVE-2021-38297 CVE-2023-28841 CVE-2021-29923 CVE-2021-41772 CVE-2021-3114 CVE-2020-24553 CVE-2023-34231 CVE-2022-46146 CVE-2023-28842 |
| CWE-ID | CWE-639 CWE-20 CWE-22 CWE-352 CWE-444 CWE-787 CWE-674 CWE-476 CWE-295 CWE-94 CWE-862 CWE-362 CWE-502 CWE-435 CWE-122 CWE-369 CWE-119 CWE-190 CWE-79 CWE-835 CWE-668 CWE-426 CWE-264 CWE-400 CWE-59 CWE-416 CWE-440 CWE-345 CWE-269 CWE-420 CWE-770 CWE-399 CWE-311 CWE-682 CWE-77 CWE-836 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #28 is available. Public exploit code for vulnerability #30 is available. Public exploit code for vulnerability #38 is available. Public exploit code for vulnerability #42 is available. Public exploit code for vulnerability #54 is available. Public exploit code for vulnerability #63 is available. |
| Vulnerable software |
ObjectScale Other software / Other software solutions |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 71 vulnerabilities.
1) Authorization bypass through user-controlled key
EUVDB-ID: #VU64394
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-21713
CWE-ID:
CWE-639 - Authorization Bypass Through User-Controlled Key
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to an Insecure Direct Object Reference (IDOR) error in Grafana Teams APIs. A remote authenticated user can view unintended data by querying for the specific team ID or search for teams and see the total number of available teams.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Input validation error
EUVDB-ID: #VU70620
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-23524
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the strvals package when parsing string values. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Input validation error
EUVDB-ID: #VU70619
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-23525
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the repo package when parsing a repository index file. A remote attacker can pass specially crafted repository index file to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU70618
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-23526
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in the chartutil package. A remote attacker can pass specially crafted JSON Schema validation file to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU63461
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-29170
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of user-supplied input when processing HTTP Host header during redirection. A remote attacker can perform spoofing attack.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Path traversal
EUVDB-ID: #VU64404
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-43815
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing .csv files. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Cross-site request forgery
EUVDB-ID: #VU64399
Risk: Medium
CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-21703
CWE-ID:
CWE-352 - Cross-Site Request Forgery (CSRF)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform cross-site request forgery attacks.
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim into inviting the attacker as a new user with high privileges to escalate privileges.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Inconsistent interpretation of HTTP requests
EUVDB-ID: #VU72886
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-41721
CWE-ID:
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform HTTP/2 request smuggling attacks.
The vulnerability exists due to improper validation of HTTP/2 requests when using MaxBytesHandler. A remote attacker can send a specially crafted HTTP/2 request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds write
EUVDB-ID: #VU71108
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-45685
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack..
The vulnerability exists due to a boundary error when processing crafted JSON data. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Uncontrolled Recursion
EUVDB-ID: #VU54910
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-31525
CWE-ID:
CWE-674 - Uncontrolled Recursion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a DoS attack.
The vulnerability exists due to uncontrolled recursion when processing HTTP headers. A remote attacker can send a large header to ReadRequest or ReadResponse and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) NULL pointer dereference
EUVDB-ID: #VU69449
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-29652
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when processing an authentication request message for the “gssapi-with-mic” method. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Improper Certificate Validation
EUVDB-ID: #VU29673
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-7919
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Go before 1.12.16 and 1.13.x before 1.13.7 (and the crypto/cryptobyte package before 0.0.0-20200124225646-8b5121be2f68 for Go) allows attacks on clients (resulting in a panic) via a malformed X.509 certificate.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Code Injection
EUVDB-ID: #VU48478
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-28366
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation at build time when cgo is in use. A remote attacker can trick the victim into building a specially crafted application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Missing Authorization
EUVDB-ID: #VU56023
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33197
CWE-ID:
CWE-862 - Missing Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authorization process.
The vulnerability exists due to an error in some configurations of ReverseProxy (from net/http/httputil). A remote attacker can drop arbitrary headers and bypass authorization process.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Race condition
EUVDB-ID: #VU31891
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-15586
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler. A remote attacker can exploit the race and cause a denial of service condition on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Code Injection
EUVDB-ID: #VU48479
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-28367
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation at build time when cgo is in use. A remote attacker can trick the victim to build a specially crafted application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Deserialization of Untrusted Data
EUVDB-ID: #VU59148
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-46877
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insecure input validation when processing serialized JsonNode values. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
Note, the vulnerability affects JDK serialization only.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Out-of-bounds write
EUVDB-ID: #VU71109
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-45693
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack..
The vulnerability exists due to a boundary error when processing data passed via the map parameter. A remote attacker can pass specially crafted input to the application, trigger an out-of-bounds write and perform a denial of service (DoS) attack. MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) Improper Interaction Between Multiple Correctly-Behaving Entities
EUVDB-ID: #VU78680
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-29510
CWE-ID:
CWE-435 - Improper Interaction Between Multiple Correctly-Behaving Entities
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The vulnerability exists due to incorrect preserving the semantics of directives during tokenization round-trips. A remote unauthenticated attacker can craft inputs that behave in conflicting ways during different stages of processing in affected downstream applications.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Input validation error
EUVDB-ID: #VU75562
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-20861
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of SpEL expressions. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Heap-based buffer overflow
EUVDB-ID: #VU71558
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-0433
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the same_leader() and utfc_ptr2len() function. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Division by zero
EUVDB-ID: #VU72341
Risk: Low
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-0512
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a divide by zero in the adjust_skipcol() function in move.c. A remote attacker can trick the victim to open a specially crafted file and crash the editor.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Heap-based buffer overflow
EUVDB-ID: #VU73170
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-1170
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the utf_ptr2char() function in mbyte.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Buffer overflow
EUVDB-ID: #VU73171
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-1175
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the yank_copy_line() function in register.c. A remote attacker can create a specially crafted, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Input validation error
EUVDB-ID: #VU75409
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-20863
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can use a specially crafted SpEL expression and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Input validation error
EUVDB-ID: #VU75561
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-20860
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an input validation error caused by using the wildcard ("**") as a pattern in Spring Security configuration with the mvcRequestMatcher, which creates a mismatch in pattern matching between Spring Security and Spring MVC. A remote attacker can bypass certain security restrictions.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
27) Uncontrolled Recursion
EUVDB-ID: #VU75431
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-1436
CWE-ID:
CWE-674 - Uncontrolled Recursion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to uncontrolled recursion when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Deserialization of Untrusted Data
EUVDB-ID: #VU70385
Risk: High
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2022-1471
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data within the SnakeYaml's Constructor() class. A remote attacker can pass specially crafted yaml content to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
29) Input validation error
EUVDB-ID: #VU71377
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-40898
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input passed to wheel cli. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Integer overflow
EUVDB-ID: #VU68887
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2022-37454
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow within the Keccak XKCP SHA-3 reference implementation. A remote attacker can pass specially crafted data to the application, trigger an integer overflow and execute arbitrary code on the target system or eliminate expected cryptographic properties.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
31) Improper input validation
EUVDB-ID: #VU62403
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22570
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Server: Compiling (protobuf) component in MySQL Server. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Input validation error
EUVDB-ID: #VU69293
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-3171
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input containing multiple instances of non-repeated embedded messages with repeated or unknown fields. A remote attacker can cause objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Improper input validation
EUVDB-ID: #VU71253
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-3510
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the Policy (Google Protobuf-Java) component in Oracle Communications Cloud Native Core Policy. A remote non-authenticated attacker can exploit this vulnerability to perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Input validation error
EUVDB-ID: #VU69670
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-3509
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when parsing textformat data. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) Cross-site scripting
EUVDB-ID: #VU56022
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33195
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of data passed from DNS lookups. A remote attacker can send a specially crafted DNS reqponse and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Infinite loop
EUVDB-ID: #VU51486
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27918
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when using xml.NewTokenDecoder with a custom TokenReader. A remote attacker can trick a victim to open a specially crafted XML content and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
37) Heap-based buffer overflow
EUVDB-ID: #VU71238
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-41903
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error during git archive invocation. A remote attacker can trick the victim into using the application against a specially crafted archive, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Code Injection
EUVDB-ID: #VU51337
Risk: High
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2021-21300
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in Git for Visual Studio. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
39) Exposure of Resource to Wrong Sphere
EUVDB-ID: #VU109618
Risk: High
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-24975
CWE-ID:
CWE-668 - Exposure of resource to wrong sphere
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to The --mirror documentation for Git does not mention the availability of deleted content, aka the "GitBleed" issue. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Untrusted search path
EUVDB-ID: #VU62258
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-24765
CWE-ID:
CWE-426 - Untrusted Search Path
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application uses by default the C:\.git folder. A local user with ability to write files into the said directory can place a malicious file into it and execute it with elevated privileges.
Users of the Microsoft fork of Git are vulnerable simply by starting a Git Bash.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU65287
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-29187
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions. A remote user can bypass implemented security restrictions and privilege escalation on the system when navigating as root into a shared tmp directory owned by the victim, but where an attacker can create a git repository.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Input validation error
EUVDB-ID: #VU68517
Risk: Low
CVSSv4.0: 0.9 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2022-39253
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to the way Git handles hardlinks when performing a local clone. A remote attacker can trick the victim into clocking a malicious repository and create or copy hardlinks to critical files on the system, which can result in sensitive information exposure.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
43) Heap-based buffer overflow
EUVDB-ID: #VU68518
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-39260
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the "git shell" command when handling untrusted input. A remote attacker can trick the victim to execute the affected command against a malicious repository, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
44) Integer overflow
EUVDB-ID: #VU71239
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2022-23521
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insufficient validation of user-supplied input when parsing the .gitattributes attributes. A remote attacker can trick the victim into cloning a specially crafted repository and execute arbitrary code on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
45) Resource exhaustion
EUVDB-ID: #VU72319
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-25153
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when importing an OCI image. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
46) Link following
EUVDB-ID: #VU72246
Risk: Low
CVSSv4.0: 0.2 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-22490
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insecure processing of symbolic links when using local clone optimization. Git will abort local clones whose source `$GIT_DIR/objects` directory
contains symbolic links, however the `objects` directory itself may still be a
symbolic link. A remote attacker can trick the victim into using the local clone optimization to exfiltrate arbitrary files from the victim's system.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
47) Link following
EUVDB-ID: #VU72245
Risk: Medium
CVSSv4.0: 3.7 [CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-23946
CWE-ID:
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Exploit availability: No
DescriptionThe vulnerability allows an attacker to compromise the affected system.
The vulnerability exists due to application allows to overwrite files outside the working tree via the "git apply" command. A remote attacker can trick the victim to run the affected command against a malicious or compromised repository and overwrite arbitrary files on the system.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
48) Use-after-free
EUVDB-ID: #VU76233
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-28319
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a use-after-free error when checking the SSH sha256 fingerprint. A remote attacker can use the application to connect to a malicious SSH server, trigger a use-after-free error and gain access to potentially sensitive information.
Successful exploitation of the vulnerability requires usage of the the CURLOPT_SSH_HOST_PUBLIC_KEY_SHA256 option, and also CURLOPT_VERBOSE or CURLOPT_ERRORBUFFER options have to be set.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
49) Expected behavior violation
EUVDB-ID: #VU68746
Risk: Medium
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-32221
CWE-ID:
CWE-440 - Expected Behavior Violation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to force unexpected application behavior.
The vulnerability exists due to a logic error for a reused handle when processing subsequent HTTP PUT and POST requests. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request, which used that callback. As a result, such behavior can influence application flow and force unpredictable outcome.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
50) Integer overflow
EUVDB-ID: #VU50990
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2020-36242
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow when processing certain sequences of update calls to symmetrically encrypt multi-GB values. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
51) Insufficient verification of data authenticity
EUVDB-ID: #VU70441
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-37533
CWE-ID:
CWE-345 - Insufficient Verification of Data Authenticity
Exploit availability: No
DescriptionThe vulnerability allows an attacker to redirect victim to a malicious host.
The vulnerability exists due to the application trusts the host from PASV response by default. A remote attacker can trick the victim into connecting to an attacker controlled FTP server and then redirect the application to another host.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
52) Improper Privilege Management
EUVDB-ID: #VU72320
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-25173
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges.
The vulnerability exists due to improper privilege management where supplementary groups are not set up properly inside a container. A local user can use supplementary group access to bypass primary group restrictions and compromise the container.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
53) Unprotected Alternate Channel
EUVDB-ID: #VU74468
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-28840
CWE-ID:
CWE-420 - Unprotected Alternate Channel
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to unprotected alternate channel within encrypted overlay networks. A remote attacker can inject arbitrary Ethernet frames into the encrypted overlay network and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
54) Improper Certificate Validation
EUVDB-ID: #VU55665
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2021-34558
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper certificate verification in crypto/tls package in Go when processing X.509 certificates. The application does not properly assert that the type of public key in an X.509 certificate matches the expected type when doing a RSA based key exchange, allowing a malicious TLS server to cause a TLS client to panic.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
55) Race condition
EUVDB-ID: #VU55668
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-36221
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a race condition in net/http/httputil ReverseProxy when handling ErrAbortHandler events. A remote attacker can trigger a race condition and crash the ReverseProxy.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
56) Allocation of Resources Without Limits or Throttling
EUVDB-ID: #VU60921
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-39293
CWE-ID:
CWE-770 - Allocation of Resources Without Limits or Throttling
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of archive/zip in Go programming language when processing archive header. A remote attacker can pass a specially crafted file to the application and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
57) Resource exhaustion
EUVDB-ID: #VU54521
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33196
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing archives. A remote attacker can pass a specially crafted .zip file to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
58) Resource management error
EUVDB-ID: #VU56024
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-33198
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when handling a large exponent to the math/big.Rat SetString or UnmarshalText method. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
59) Input validation error
EUVDB-ID: #VU48480
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-28362
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD). A remote attacker can pass large input data to the application, specifically as divisor or modulo argument larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures).
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
60) Infinite loop
EUVDB-ID: #VU45699
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-16845
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in "ReadUvarint" and "ReadVarint" in "encoding/binary". A remote attacker can consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
61) Buffer overflow
EUVDB-ID: #VU65080
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-41771
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists in debug/macho of the Go standard library when using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat. A remote attacker can send a specially crafted file to perform a denial of service attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
62) Improper Certificate Validation
EUVDB-ID: #VU31890
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-14039
CWE-ID:
CWE-295 - Improper Certificate Validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists when "VerifyOptions.Roots" is nil, "Certificate.Verify" does not check the EKU requirements specified in "VerifyOptions.KeyUsages".
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
63) Buffer overflow
EUVDB-ID: #VU57579
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2021-38297
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error. A remote attacker can trigger memory corruption via large arguments in a function invocation from a WASM module, when GOARCH=wasm GOOS=js is used.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
64) Missing Encryption of Sensitive Data
EUVDB-ID: #VU74467
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-28841
CWE-ID:
CWE-311 - Missing Encryption of Sensitive Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to missing encryption of sensitive data within the overlay network driver. A remote attacker can gain unauthorized access to sensitive information on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
65) Input validation error
EUVDB-ID: #VU56829
Risk: Medium
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-29923
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in net.ParseIP and net.ParseCIDR, as the Go interpreter does not properly consider extraneous zero characters at the beginning
of an IP address octet. A remote attacker can
bypass access control that is based on IP addresses, because of
unexpected octal interpretation.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
66) Input validation error
EUVDB-ID: #VU66120
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-41772
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input in archive/zip Reader.Open. A remote attacker can pass specially crafted ZIP archive containing an invalid name or an empty filename field to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
67) Incorrect calculation
EUVDB-ID: #VU50047
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-3114
CWE-ID:
CWE-682 - Incorrect Calculation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to incorrect calculation performed by the application in "crypto/elliptic/p224.go". A remote attacker can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
68) Cross-site scripting
EUVDB-ID: #VU46580
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-24553
CWE-ID:
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Exploit availability: No
DescriptionThe disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
69) Command Injection
EUVDB-ID: #VU87204
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2023-34231
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists via single sign-on (SSO) browser URL authentication. A remote unauthenticated attacker can set up a malicious, publicly accessible server which responds to the SSO URL with an attack payload, trick the victim into visiting the maliciously crafted connection URL and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
70) Use of Password Hash Instead of Password for Authentication
EUVDB-ID: #VU69691
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-46146
CWE-ID:
CWE-836 - Use of Password Hash Instead of Password for Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to incorrect implementation of basic authentication. A remote attacker with knowledge of the password hash can authenticate against Prometheus without actual knowledge of the password.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
71) Unprotected Alternate Channel
EUVDB-ID: #VU74469
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-28842
CWE-ID:
CWE-420 - Unprotected Alternate Channel
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to unprotected alternate channel within encrypted overlay networks. A remote attacker can inject arbitrary Ethernet frames into the encrypted overlay network by encapsulating them in VXLAN datagrams.
Install update from vendor's website.
Vulnerable software versionsObjectScale: 1.0.0 - 1.2.0
CPE2.3- cpe:2.3:a:dell:objectscale:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:objectscale:1.0.2:*:*:*:*:*:*:*
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
