Vulnerability identifier: #VU8570
Vulnerability risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-22
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Storage M&R
Client/Desktop applications /
Other client software
VNX M&R
Client/Desktop applications /
Other client software
EMC M&R (Watch4Net)
Client/Desktop applications /
Other client software
EMC ViPR SRM
Client/Desktop applications /
Software for archiving
Vendor: Dell
Description
The vulnerability allows a remote authenticated attacker to access information on the target system.
The weakness exists due to directory traversal in Webservice Gateway. A remote attacker can with knowledge of Webservice Gateway credentials can supply specially crafted strings in input parameters of the web service call to access, modify or delete data.
Mitigation
Update the software to version 4.1.
Install 6.7.x fox for EMC M&R Watch4net for SAS Solution Packs.
Vulnerable software versions
Storage M&R: 4.0.1 - 4.0.3
EMC ViPR SRM: 4.0.1 - 4.0.3
VNX M&R: 4.0.1 - 4.0.3
EMC M&R (Watch4Net): All versions
External links
http://seclists.org/fulldisclosure/2017/Sep/51
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.