Details of VAR-202312-1363

ID

VAR-202312-1363

CVE

CVE-2023-44278

TITLE

Dell PowerProtect Data Domain Path Traversal Vulnerability

Trust: 0.6

sources: CNVD: CNVD-2024-46268

DESCRIPTION

Dell PowerProtect DD , versions prior to 7.13.0.10, LTS 7.7.5.25, LTS 7.10.1.15, 6.2.1.110 contain a path traversal vulnerability. A local high privileged attacker could potentially exploit this vulnerability, to gain unauthorized read and write access to the OS files stored on the server filesystem, with the privileges of the running application. Dell PowerProtect Data Domain (Dell PowerProtect DD) is a set of hardware devices for data protection, backup, storage and deduplication from Dell (Dell) in the United States. Dell PowerProtect Data Domain has a path traversal vulnerability, which is caused by the program failing to properly filter special elements in the resource or file path. Attackers can exploit this vulnerability to retrieve arbitrary files from the underlying file system through specially crafted web requests

Trust: 1.44

sources: NVD: CVE-2023-44278 // CNVD: CNVD-2024-46268

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-46268

AFFECTED PRODUCTS

vendor:	dell	model:	emc data domain os	scope:	gte	version:	7.0	Trust: 1.0
vendor:	dell	model:	powerprotect data domain	scope:	gte	version:	7.0	Trust: 1.0
vendor:	dell	model:	powerprotect data domain management center	scope:	gte	version:	7.0	Trust: 1.0
vendor:	dell	model:	powerprotect data domain	scope:	lt	version:	7.12.0.0	Trust: 1.0
vendor:	dell	model:	powerprotect data domain management center	scope:	lt	version:	7.10.1.15	Trust: 1.0
vendor:	dell	model:	emc data domain os	scope:	lt	version:	7.10.1.15	Trust: 1.0
vendor:	dell	model:	emc data domain os	scope:	lt	version:	7.12.0.0	Trust: 1.0
vendor:	dell	model:	powerprotect data domain management center	scope:	lt	version:	7.7.5.25	Trust: 1.0
vendor:	dell	model:	powerprotect data domain management center	scope:	gte	version:	7.10	Trust: 1.0
vendor:	dell	model:	apex protection storage	scope:	lt	version:	7.10.1.15	Trust: 1.0
vendor:	dell	model:	emc data domain os	scope:	lt	version:	7.7.5.25	Trust: 1.0
vendor:	dell	model:	emc data domain os	scope:	gte	version:	7.10	Trust: 1.0
vendor:	dell	model:	powerprotect data protection	scope:	lt	version:	2.7.6	Trust: 1.0
vendor:	dell	model:	powerprotect data domain management center	scope:	gte	version:	7.7	Trust: 1.0
vendor:	dell	model:	emc data domain os	scope:	gte	version:	7.7	Trust: 1.0
vendor:	dell	model:	powerprotect data domain management center	scope:	lt	version:	7.13.0.10	Trust: 1.0
vendor:	dell	model:	powerprotect data domain management center	scope:	lt	version:	6.2.1.110	Trust: 1.0
vendor:	dell	model:	emc data domain os	scope:	lt	version:	6.2.1.110	Trust: 1.0
vendor:	dell	model:	powerprotect data domain	scope:	lt	version:	6.2.1.110	Trust: 1.0
vendor:	dell	model:	apex protection storage	scope:	gte	version:	7.0	Trust: 1.0
vendor:	dell	model:	apex protection storage	scope:	lt	version:	6.2.1.110	Trust: 1.0
vendor:	dell	model:	powerprotect data domain	scope:	lt	version:	7.13.0.10	Trust: 0.6
vendor:	dell	model:	powerprotect data domain <lts	scope:	eq	version:	7.7.5.25	Trust: 0.6
vendor:	dell	model:	powerprotect data domain <lts	scope:	eq	version:	7.10.1.15	Trust: 0.6
vendor:	dell	model:	powerprotect data domain	scope:	eq	version:	6.2.1.110	Trust: 0.6

sources: CNVD: CNVD-2024-46268 // NVD: CVE-2023-44278

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-44278
value:	MEDIUM
Trust: 1.0
security_alert@emc.com:	CVE-2023-44278
value:	MEDIUM
Trust: 1.0
CNVD:	CNVD-2024-46268
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2024-46268
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:L/AC:L/AU:M/C:C/I:C/A:C
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	2.5
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-44278
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.8
impactScore:	5.9
version:	3.1
Trust: 2.0

sources: CNVD: CNVD-2024-46268 // NVD: CVE-2023-44278 // NVD: CVE-2023-44278

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.0

sources: NVD: CVE-2023-44278

PATCH

title:

Patch for Dell PowerProtect Data Domain Path Traversal Vulnerability

url:

https://www.cnvd.org.cn/patchInfo/show/618186

Trust: 0.6

sources: CNVD: CNVD-2024-46268

EXTERNAL IDS

db:	NVD	id:	CVE-2023-44278	Trust: 1.6
db:	CNVD	id:	CNVD-2024-46268	Trust: 0.6

sources: CNVD: CNVD-2024-46268 // NVD: CVE-2023-44278

REFERENCES

url:	https://www.dell.com/support/kbdoc/en-us/000220264/dsa-2023-412-dell-technologies-powerprotect-security-update-for-multiple-security-vulnerabilities	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2023-44278	Trust: 0.6

sources: CNVD: CNVD-2024-46268 // NVD: CVE-2023-44278

SOURCES

db:	CNVD	id:	CNVD-2024-46268
db:	NVD	id:	CVE-2023-44278

LAST UPDATE DATE

2024-11-28T23:04:43.276000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2024-46268	date:	2024-11-27T00:00:00
db:	NVD	id:	CVE-2023-44278	date:	2023-12-27T19:32:20.107

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2024-46268	date:	2024-11-14T00:00:00
db:	NVD	id:	CVE-2023-44278	date:	2023-12-14T16:15:45.490