Unauthenticated Java Deserialization Vulnerability in HPE Storage Essentials
CVE-2017-10992

9.8CRITICAL

Key Information:

Vendor: HP
Status: Storage Essentials
Vendor: CVE Published:; 10 March 2020

Summary

In HPE Storage Essentials version 9.5.0.142, a vulnerability exists that allows unauthenticated attackers to exploit Java deserialization. Through a crafted request directed at the invoker/JMXInvokerServlet, the flaw facilitates remote code execution, enabling unauthorized users to execute operating system commands. This security issue poses significant risks to the integrity and availability of systems utilizing this software.

References

https://labs.integrity.pt/advisories/cve-2017-10992/

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 10, 2020
Vulnerability Reserved
Jul 7, 2017