Access Control Vulnerability in StorageGRID by NetApp
CVE-2022-23232

4.9MEDIUM

Key Information:

Vendor
Netapp
Status
Storagegrid (formerly Storagegrid Webscale)
Vendor
CVE Published:
4 March 2022

Summary

StorageGRID (formerly StorageGRID Webscale) contains a vulnerability that allows disabled, expired, or locked external user accounts to access previously permitted S3 data. Versions before 11.6.0 do not properly restrict S3 access for these types of accounts, leading to potential unauthorized access to sensitive data. The updated version, 11.6.0, addresses this issue by integrating Active Directory or Azure user account status checks, preventing disabled accounts from accessing S3 during background synchronization. However, manual intervention is still required for managing user accounts in other identity sources, making it crucial for administrators to regularly audit access controls.

Affected Version(s)

StorageGRID (formerly StorageGRID Webscale) Prior to 11.6.0

References

https://security.netapp.com/advisory/NTAP-20220303-0009/
x_refsource_MISC

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2022-23232 : Access Control Vulnerability in StorageGRID by NetApp | SecurityVulnerability.io