Privilege Escalation Vulnerability in ONTAP 9
CVE-2024-21985

7.6HIGH

Key Information:

Vendor: NetApp
Status: ONTAP 9
Vendor: CVE Published:; 26 January 2024

Summary

The vulnerability allows authenticated users with multiple remote accounts of differing roles within NetApp's ONTAP system to execute actions through the REST API that go beyond their intended permissions. This misconfiguration can lead to the exposure of limited configuration details and operational metrics, as well as modifications to specific settings. Such unauthorized actions pose a considerable risk, which may result in a Denial of Service (DoS), thereby impacting the availability of services reliant on ONTAP. Entities utilizing affected versions are highly encouraged to evaluate their security posture and apply the necessary patches to mitigate these risks.

Affected Version(s)

ONTAP 9 9.0 < 9.9.1P18

ONTAP 9 9.10.1 < 9.10.1P16

ONTAP 9 9.11.1 < 9.11.1P13

References

https://security.netapp.com/advisory/ntap-20240126-0001/

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 26, 2024
Vulnerability Reserved
Jan 3, 2024