CVE-2023-44277 — OS Command Injection in Dell Apex Protection Storage

CWE-78 — OS Command Injection3 documents3 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 79.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dell Apex Protection Storage Dell EMC Data Domain OS Dell Powerprotect Data Domain +3 more

Timeline

PublishedDec 14

Description

Dell PowerProtect DD, versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain an OS command injection vulnerability in the CLI. A local low privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages6 packages

▶NVDdell/powerprotect_data_domain7.0 — 7.12.0.0+1

▶NVDdell/powerprotect_data_protection< 2.7.6

▶NVDdell/powerprotect_data_domain_management_center7.0 — 7.13.0.10+3

▶CVEListV5dell/powerprotect_ddVersions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110

▶NVDdell/emc_data_domain_os7.0 — 7.12.0.0+3

🔴Vulnerability Details

CVEList

CVE-2023-44277: Dell PowerProtect DD, versions prior to 7↗2023-12-14

▶

GHSA

GHSA-fjw6-6rwx-mp6r: Dell PowerProtect DD, versions prior to 7↗2023-12-14

▶