Sign-up

ID

VAR-202001-0646


CVE

CVE-2019-11994


TITLE

plural HPE SimpliVity Product vulnerable to path traversal

Trust: 0.8

sources: JVNDB: JVNDB-2019-014123

DESCRIPTION

A security vulnerability has been identified in HPE SimpliVity 380 Gen 9, HPE SimpliVity 380 Gen 10, HPE SimpliVity 380 Gen 10 G, HPE SimpliVity 2600 Gen 10, SimpliVity OmniCube, SimpliVity OmniStack for Cisco, SimpliVity OmniStack for Lenovo and SimpliVity OmniStack for Dell nodes. An API is used to execute a command manifest file during upgrade does not correctly prevent directory traversal and so can be used to execute manifest files in arbitrary locations on the node. The API does not require user authentication and is accessible over the management network, resulting in the potential for unauthenticated remote execution of manifest files. For all customers running HPE OmniStack version 3.7.9 and earlier. HPE recommends upgrading the OmniStack software to version 3.7.10 or later, which contains a permanent resolution. Customers and partners who can upgrade to 3.7.10 should upgrade at the earliest convenience. For all customers and partners unable to upgrade their environments to the recommended version 3.7.10, HPE has created a Temporary Workaround https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=mmr_sf-EN_US000061901&withFrame for you to implement. All customer should upgrade to the recommended 3.7.10 or later version at the earliest convenience. plural HPE SimpliVity The product contains a path traversal vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. There are security holes in many HPE products

Trust: 2.16

sources: NVD: CVE-2019-11994 // JVNDB: JVNDB-2019-014123 // CNVD: CNVD-2020-04655

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-04655

AFFECTED PRODUCTS

vendor:hpmodel:simplivity 380 gen10 gscope:lteversion:3.7.9

Trust: 1.0

vendor:hpmodel:simplivity omnistack for lenovoscope:gteversion:3.5.2

Trust: 1.0

vendor:hpmodel:simplivity omnistack for dellscope:lteversion:3.7.9

Trust: 1.0

vendor:hpmodel:simplivity 380 gen10 gscope:gteversion:3.7.8

Trust: 1.0

vendor:hpmodel:simplivity 2600 gen10scope:lteversion:3.7.9

Trust: 1.0

vendor:hpmodel:simplivity 380 gen9scope:lteversion:3.7.9

Trust: 1.0

vendor:hpmodel:simplivity omnistack for lenovoscope:lteversion:3.7.9

Trust: 1.0

vendor:hpmodel:simplivity omnicubescope:lteversion:3.7.9

Trust: 1.0

vendor:hpmodel:simplivity omnicubescope:gteversion:3.5.2

Trust: 1.0

vendor:hpmodel:simplivity omnistack for ciscoscope:lteversion:3.7.9

Trust: 1.0

vendor:hpmodel:simplivity omnistack for dellscope:gteversion:3.5.2

Trust: 1.0

vendor:hpmodel:simplivity 2600 gen10scope:gteversion:3.7.5

Trust: 1.0

vendor:hpmodel:simplivity 380 gen10scope:lteversion:3.7.9

Trust: 1.0

vendor:hpmodel:simplivity 380 gen9scope:gteversion:3.6.2

Trust: 1.0

vendor:hpmodel:simplivity omnistack for ciscoscope:gteversion:3.5.2

Trust: 1.0

vendor:hpmodel:simplivity 380 gen10scope:gteversion:3.7.1

Trust: 1.0

vendor:hewlett packardmodel:simplivity 2600 gen 10scope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:simplivity 380 gen 10 gscope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:simplivity 380 gen 10scope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:simplivity 380 gen 9scope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:simplivity omnicubescope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:simplivity omnistack for ciscoscope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:simplivity omnistack for dellscope: - version: -

Trust: 0.8

vendor:hewlett packardmodel:simplivity omnistack for lenovoscope: - version: -

Trust: 0.8

vendor:hpmodel:simplivity gen9scope:eqversion:380>=3.6.2,<=3.7.9

Trust: 0.6

vendor:hpmodel:simplivity gen10 gscope:eqversion:380>=3.7.8,<=3.7.9

Trust: 0.6

vendor:hpmodel:simplivity gen10scope:eqversion:2600>=3.7.5,<=3.7.9

Trust: 0.6

vendor:hpmodel:simplivity omnicubescope:gteversion:3.0.8,<=3.7.9

Trust: 0.6

vendor:hpmodel:simplivity omnistack for ciscoscope:gteversion:3.0.8,<=3.7.9

Trust: 0.6

vendor:hpmodel:simplivity omnistack for lenovoscope:gteversion:3.0.8,<=3.7.9

Trust: 0.6

vendor:hpmodel:simplivity omnistack for dellscope:gteversion:3.0.8,<=3.7.9

Trust: 0.6

vendor:hpmodel:simplivity 2600 gen10scope:eqversion: -

Trust: 0.6

vendor:hpmodel:simplivity 380 gen10 gscope:eqversion: -

Trust: 0.6

vendor:hpmodel:simplivity omnistack for ciscoscope:eqversion: -

Trust: 0.6

vendor:hpmodel:simplivity omnistack for dellscope:eqversion: -

Trust: 0.6

vendor:hpmodel:simplivity omnistack for lenovoscope:eqversion: -

Trust: 0.6

vendor:hpmodel:simplivity 380 gen10scope:eqversion: -

Trust: 0.6

vendor:hpmodel:simplivity omnicubescope:eqversion: -

Trust: 0.6

vendor:hpmodel:simplivity 380 gen9scope:eqversion: -

Trust: 0.6

sources: CNVD: CNVD-2020-04655 // JVNDB: JVNDB-2019-014123 // CNNVD: CNNVD-202001-076 // NVD: CVE-2019-11994

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-11994
value: CRITICAL

Trust: 1.0

NVD: CVE-2019-11994
value: CRITICAL

Trust: 0.8

CNVD: CNVD-2020-04655
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202001-076
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2019-11994
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-04655
severity: HIGH
baseScore: 7.5
vectorString: AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-11994
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2019-11994
baseSeverity: CRITICAL
baseScore: 9.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-04655 // JVNDB: JVNDB-2019-014123 // CNNVD: CNNVD-202001-076 // NVD: CVE-2019-11994

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.8

sources: JVNDB: JVNDB-2019-014123 // NVD: CVE-2019-11994

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202001-076

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-202001-076

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2019-014123

PATCH
title:hpesbst03956en_usurl:https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-hpesbst03956en_us
Trust: 0.8
title:Patch for Unknown vulnerability in multiple HPE products (CNVD-2020-04655)url:https://www.cnvd.org.cn/patchInfo/show/199991
Trust: 0.6
title:Multiple HPE Product path traversal vulnerability fixesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=108270
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-04655 // 
            
            
            
            JVNDB: JVNDB-2019-014123 // 
            
            
            
            CNNVD: CNNVD-202001-076

EXTERNAL IDS
db:NVDid:CVE-2019-11994
Trust: 3.0
db:JVNDBid:JVNDB-2019-014123
Trust: 0.8
db:CNVDid:CNVD-2020-04655
Trust: 0.6
db:CNNVDid:CNNVD-202001-076
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2020-04655 // 
            
            
            
            JVNDB: JVNDB-2019-014123 // 
            
            
            
            CNNVD: CNNVD-202001-076 // 
            
            
            
            NVD: CVE-2019-11994

REFERENCES
url:https://nvd.nist.gov/vuln/detail/cve-2019-11994
Trust: 2.0
url:https://support.hpe.com/hpsc/doc/public/display?doclocale=en_us&docid=emr_na-hpesbst03956en_us
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-11994
Trust: 0.8
sources:
            
            
            CNVD: CNVD-2020-04655 // 
            
            
            
            JVNDB: JVNDB-2019-014123 // 
            
            
            
            CNNVD: CNNVD-202001-076 // 
            
            
            
            NVD: CVE-2019-11994

SOURCES
db:CNVDid:CNVD-2020-04655
db:JVNDBid:JVNDB-2019-014123
db:CNNVDid:CNNVD-202001-076
db:NVDid:CVE-2019-11994

LAST UPDATE DATE
2024-11-23T22:48:10.117000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2020-04655date:2020-02-11T00:00:00
db:JVNDBid:JVNDB-2019-014123date:2020-02-03T00:00:00
db:CNNVDid:CNNVD-202001-076date:2020-01-19T00:00:00
db:NVDid:CVE-2019-11994date:2024-11-21T04:22:07.590

SOURCES RELEASE DATE
db:CNVDid:CNVD-2020-04655date:2020-02-11T00:00:00
db:JVNDBid:JVNDB-2019-014123date:2020-02-03T00:00:00
db:CNNVDid:CNNVD-202001-076date:2020-01-03T00:00:00
db:NVDid:CVE-2019-11994date:2020-01-03T18:15:09.907