Authorization Bypass in Dell EMC Unity and UnityVSA Products
CVE-2018-1250

6.5MEDIUM

Key Information:

Vendor: Dell
Status: Dell Emc Unity; Dell Emc Unityvsa
Vendor: CVE Published:; 28 September 2018

Summary

Dell EMC Unity and UnityVSA versions before 4.3.1.1525703027 are affected by an authorization bypass issue that permits remote authenticated users to exploit certain APIs of Unity OE. This vulnerability enables unauthorized file access on NAS servers by circumventing the Role-Based Authorization system enforced solely within the Unisphere GUI. Thus, it poses a significant risk in terms of data exposure.

Affected Version(s)

Dell EMC Unity < 4.3.1.1525703027

Dell EMC UnityVSA < 4.3.1.1525703027

References

https://seclists.org/fulldisclosure/2018/Sep/30

mailing-listx_refsource_FULLDISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 28, 2018
Vulnerability Reserved
Dec 6, 2017