CVE-2019-18581 — Missing Authorization in Dell Data Protection Advisor

CWE-862 — Missing Authorization3 documents3 sources

Severity

7.2HIGHNVD

EPSS

2.2%

top 15.55%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dell Data Protection Advisor Dell EMC Data Protection Advisor Dell EMC Integrated Data Protection Appliance Firmware

Timeline

PublishedMar 18

Latest updateMay 24

Description

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands. This may lead to arbitrary OS command execution as the regular user runs the DPA service on the affected system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5dell/data_protection_advisorunspecified — 6.3, 6.4, 6.5 and version prior to 18.2 patch 83 and prior to 19.1 patch 71

▶NVDdell/emc_data_protection_advisor6 versions+5

▶NVDdell/emc_integrated_data_protection_appliance_firmware5 versions+4

🔴Vulnerability Details

GHSA

GHSA-3cg8-9wqp-7hg9: Dell EMC Data Protection Advisor versions 6↗2022-05-24

▶

CVEList

CVE-2019-18581: Dell EMC Data Protection Advisor versions 6↗2020-03-18

▶