Command Injection Vulnerability in Dell EMC RecoverPoint Product Line
CVE-2018-1242

6.5MEDIUM

Key Information:

Vendor: Dell
Status: Dell Emc Recoverpoint; Dell Emc Recoverpoint Virtual Machine (vm)
Vendor: CVE Published:; 29 May 2018

Summary

A command injection vulnerability exists in the Boxmgmt CLI of Dell EMC RecoverPoint, specifically impacting versions prior to 5.1.2 and RecoverPoint for VMs prior to 5.1.1.3. This flaw allows an authenticated malicious user with boxmgmt privileges to exploit the system, potentially enabling access to sensitive RPA files. However, it is important to note that files requiring root permission remain protected and cannot be accessed through this exploit. Organizations using affected versions are advised to update to the latest releases to mitigate any potential security risks.

Affected Version(s)

Dell EMC RecoverPoint < 5.1.2

Dell EMC RecoverPoint Virtual Machine (VM) < 5.1.1.3

References

http://seclists.org/fulldisclosure/2018/May/61

mailing-listx_refsource_FULLDISC

http://www.securityfocus.com/bid/104246

vdb-entryx_refsource_BID

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 29, 2018
Vulnerability Reserved
Dec 6, 2017