Improper Enforcement of Export Policies in NetApp's Data ONTAP Product
CVE-2018-5490

8.8HIGH

Key Information:

Vendor
Netapp
Status
Clustered Data Ontap
Vendor
CVE Published:
3 August 2018

Summary

In certain early versions of NetApp's Clustered Data ONTAP 8.3, read-only export policy rules were not adequately enforced, allowing authenticated SMBv2 and SMBv3 clients to gain more than the intended read-only access. This issue has been rectified in the general availability (GA) release of Data ONTAP 8.3. Users operating on prior release candidates are strongly advised to update their systems to safeguard against unauthorized access.

Affected Version(s)

Clustered Data ONTAP 8.3 Release Candidate versions

References

https://security.netapp.com/advisory/ntap-20150324-0001/
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-5490 : Improper Enforcement of Export Policies in NetApp's Data ONTAP Product | SecurityVulnerability.io