CVE-2025-21103
published 2025-02-17CVE-2025-21103: Dell NetWorker Management Console, version(s) 19.11 through 19.11.0.3 & Versions prior to 19.10.0.7 contain(s) an improper neutralization of server-side…
PriorityP340high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.20%
10.4th percentile
Dell NetWorker Management Console, version(s) 19.11 through 19.11.0.3 & Versions prior to 19.10.0.7 contain(s) an improper neutralization of server-side vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability and run arbitrary code on the server.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dell | networker | < 19.10.0.7 | 19.10.0.7 |
| dell | networker | 19.11 – 19.11.0.3 | — |
| dell | networker_management_console | 19.11 – 19.11.0.3 | — |
| dell | networker_management_console | >= N/A < 19.10.0.7 | 19.10.0.7 |
| github.com | minio_minio | >= 0 < 0.0.0-20250403145552-8c70975283f9 | 0.0.0-20250403145552-8c70975283f9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MinIO performs incomplete signature validation for unsigned-trailer uploads
ghsa·2025-04-04
CVE-2025-31489 [HIGH] CWE-347 MinIO performs incomplete signature validation for unsigned-trailer uploads
MinIO performs incomplete signature validation for unsigned-trailer uploads
### Impact
This is a high priority vulnerability and users must upgrade ASAP.
The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket,
Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary.
However with relevant information in place, uploading random objects to buckets is trivial and easy via `curl`
### Patches
Yes https://github.com/minio/minio/pull/21103
### Workarounds
Reject requests with `x-amz-content-sha256: STREAMING-UNSIGNED-PAYLOAD-TRAILER` for now at LB layer, ask a
GHSA
GHSA-2v9c-w6gf-rwp7: Dell NetWorker Management Console, version(s) 19
ghsa_unreviewed·2025-02-17
CVE-2025-21103 [HIGH] CWE-97 GHSA-2v9c-w6gf-rwp7: Dell NetWorker Management Console, version(s) 19
Dell NetWorker Management Console, version(s) 19.11 through 19.11.0.3 & Versions prior to 19.10.0.7 contain(s) an improper neutralization of server-side vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability and run arbitrary code on the server.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-17
Published