Dell Data Protection Central update for third-party components



Risk High
Patch available YES
Number of vulnerabilities 26
CVE-ID CVE-2023-30589
CVE-2023-34034
CVE-2023-20883
CVE-2023-20873
CVE-2023-3635
CVE-2022-25883
CVE-2022-25901
CVE-2023-2976
CVE-2023-43646
CVE-2023-28709
CVE-2022-32212
CVE-2023-23918
CVE-2022-43548
CVE-2023-36054
CVE-2023-32002
CVE-2022-35255
CVE-2023-28322
CVE-2023-24329
CVE-2023-34035
CVE-2023-21930
CVE-2023-31484
CVE-2023-40217
CVE-2018-9234
CVE-2023-25193
CVE-2023-38039
CVE-2023-4039
CWE-ID CWE-444
CWE-254
CWE-399
CWE-681
CWE-185
CWE-1333
CWE-276
CWE-400
CWE-770
CWE-703
CWE-264
CWE-350
CWE-824
CWE-330
CWE-440
CWE-20
CWE-863
CWE-295
CWE-319
CWE-320
Exploitation vector Network
Public exploit N/A
Vulnerable software
Dell Data Protection Central
Other software / Other software solutions

Vendor Dell

Security Bulletin

This security bulletin contains information about 26 vulnerabilities.

1) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU77605

Risk: Medium

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-30589

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests in the llhttp parser. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security features bypass

EUVDB-ID: #VU80880

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34034

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to the usage of "**" as a pattern in Spring Security configuration for WebFlux creates a mismatch in pattern matching between Spring Security and Spring WebFlux. A remote unauthenticated attacker can trigger the vulnerability to bypass security restrictions.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Resource management error

EUVDB-ID: #VU76427

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20883

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Specifically, an application is vulnerable if all of the conditions are true:

  • The application has Spring MVC auto-configuration enabled. This is the case by default if Spring MVC is on the classpath.
  • The application makes use of Spring Boot's welcome page support, either static or templated.
  • Your application is deployed behind a proxy which caches 404 responses.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Security features bypass

EUVDB-ID: #VU75407

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-20873

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to security features bypass. A remote attacker can cause security bypass on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Incorrect Conversion between Numeric Types

EUVDB-ID: #VU80783

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-3635

CWE-ID: CWE-681 - Incorrect Conversion between Numeric Types

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Incorrect Regular Expression

EUVDB-ID: #VU78932

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25883

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application via the new Range function and perform regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Inefficient regular expression complexity

EUVDB-ID: #VU76691

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-25901

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions within the Cookie.parse function. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Incorrect default permissions

EUVDB-ID: #VU77107

Risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-2976

CWE-ID: CWE-276 - Incorrect Default Permissions

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions in com.google.common.io.FileBackedOutputStream. A local user with access to the system can view contents of files and directories or modify them.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Resource exhaustion

EUVDB-ID: #VU83242

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-43646

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when parsing malicious input. A remote attacker can trigger resource exhaustion when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly, and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

10) Allocation of Resources Without Limits or Throttling

EUVDB-ID: #VU76417

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28709

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an incomplete fox for #VU72427 (CVE-2023-24998). If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed. A remote attacker can initiate a series of uploads and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

11) Improper Check or Handling of Exceptional Conditions

EUVDB-ID: #VU65273

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-32212

CWE-ID: CWE-703 - Improper Check or Handling of Exceptional Conditions

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to IsIPAddress does not properly checks if an IP address is invalid or not. A remote unauthenticated attacker can exploit this vulnerability to bypass the IsAllowedHost check and execute arbitrary code on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

12) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU72398

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-23918

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions within the process.mainModule.require() method. A remote user can access non authorized modules.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

13) Reliance on Reverse DNS Resolution for a Security-Critical Action

EUVDB-ID: #VU69354

Risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-43548

CWE-ID: CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DNS rebinding attacks.

The vulnerability exists due to improper validation of octal IP address within the Node.js rebinding protector for --inspec. A remote attacker can resolve the invalid octal address via DNS. When combined with an active --inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code in client's browser.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

14) Access of Uninitialized Pointer

EUVDB-ID: #VU79586

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-36054

CWE-ID: CWE-824 - Access of Uninitialized Pointer

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to the  _xdr_kadm5_principal_ent_rec() function in lib/kadm5/kadm_rpc_xdr.c does not validate the relationship between n_key_data and the key_data array count and frees an uninitialized pointer. A remote user can send a specially crafted request to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

15) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU79332

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32002

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions for the Module._load() method. A remote attacker can bypass the policy mechanism and include modules outside of the policy.json definition for a given module.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

16) Use of insufficiently random values

EUVDB-ID: #VU67849

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-35255

CWE-ID: CWE-330 - Use of Insufficiently Random Values

Exploit availability: No

Description

The vulnerability allows a remote attacker to decrypt sensitive information.

The vulnerability exists due to usage of weak randomness in WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. A remote attacker can decrypt sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

17) Expected behavior violation

EUVDB-ID: #VU76238

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28322

CWE-ID: CWE-440 - Expected Behavior Violation

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a logic error when sending HTTP POST and PUT requests using the same handle. The libcurl can erroneously use the read callback (CURLOPT_READFUNCTION) to ask for data to send, even when the CURLOPT_POSTFIELDS option has been set, if the same handle previously was used to issue a PUT request which used that callback. As a result, the application can misbehave and either send off the wrong data or use memory after free or similar in the second transfer.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

18) Input validation error

EUVDB-ID: #VU72618

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24329

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented filters.

The vulnerability exists due to insufficient validation of URLs that start with blank characters within urllib.parse component of Python. A remote attacker can pass specially crafted URL to bypass existing filters.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

19) Incorrect authorization

EUVDB-ID: #VU82227

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-34035

CWE-ID: CWE-863 - Incorrect Authorization

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authorization process.

The vulnerability exists due to authorization rule misconfiguration if the application uses requestMatchers(String) or requestMatchers(HttpMethod, String) and multiple servlets, one of them being Spring MVC’s DispatcherServlet. A remote attacker can bypass authorization rules and gain unauthorized access to the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

20) Improper input validation

EUVDB-ID: #VU75260

Risk: Medium

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-21930

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The vulnerability exists due to improper input validation within the JSSE component in Oracle GraalVM Enterprise Edition. A remote non-authenticated attacker can exploit this vulnerability to read and manipulate data.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

21) Improper Certificate Validation

EUVDB-ID: #VU75604

Risk: Medium

CVSSv3.1: 5.9 [CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-31484

CWE-ID: CWE-295 - Improper Certificate Validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to missing verification of the TLS certificate when downloading distributions. A remote attacker can perform MitM attack and trick the application into downloading a malicious file.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

22) Cleartext transmission of sensitive information

EUVDB-ID: #VU80228

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-40217

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to an error in ssl.SSLSocket implementation when handling TLS client authentication. A remote attacker can trick the application to send data unencrypted.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

23) Key management errors

EUVDB-ID: #VU12732

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-9234

CWE-ID: CWE-320 - Key Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to missing enforcement of a configuration in which key certification requires an offline master Certify key, which results in apparently valid certifications that occurred only with access to a signing subkey. A remote attacker can gain access to potentially sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

24) Input validation error

EUVDB-ID: #VU72050

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-25193

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in hb-ot-layout-gsubgpos.hh. A remote attacker can use consecutive marks during the process of looking back for base glyphs when attaching marks and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

25) Resource exhaustion

EUVDB-ID: #VU80732

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-38039

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not limit the size of received headers from a single request that are stored for future reference. A remote attacker can send overly large HTTP responses to the application and consume all memory resources.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

26) Security features bypass

EUVDB-ID: #VU81045

Risk: Medium

CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4039

CWE-ID: CWE-254 - Security Features

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to the GCC's stack smashing protection does not detect or defend against overflows of dynamically-sized local variables on AArch64 targets. A remote attacker can bypass expected security restrictions and successfully exploit buffer overflow vulnerabilities.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Dell Data Protection Central: before 19.10.0-4

CPE2.3 External links

http://www.dell.com/support/kbdoc/nl-nl/000221194/dsa-2024-010-security-update-for-dell-data-protection-central-for-multiple-third-party-vulnerabilities


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###