Dell

Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor

CVE-2023-25536 6.7 - Medium - March 02, 2023

Dell PowerScale OneFS 9.4.0.x contains exposure of sensitive information to an unauthorized actor. A malicious authenticated local user could potentially exploit this vulnerability in certificate management, leading to a potential system takeover.

Exposure of Resource to Wrong Sphere

Dell NetWorker versions 19.5 and earlier contain 'RabbitMQ' version disclosure vulnerability

CVE-2023-24567 6.5 - Medium - March 01, 2023

Dell NetWorker versions 19.5 and earlier contain 'RabbitMQ' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

Exposure of Resource to Wrong Sphere

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability

CVE-2023-25544 6.5 - Medium - March 01, 2023

Dell NetWorker versions 19.5 and earlier contain 'Apache Tomcat' version disclosure vulnerability. A NetWorker server user with remote access to NetWorker clients may potentially exploit this vulnerability and may launch target-specific attacks.

Exposure of Resource to Wrong Sphere

Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability

CVE-2023-25540 7.1 - High - February 28, 2023

Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service.

Incorrect Default Permissions

Dell Multifunction Printer E525w Driver and Software Suite, versions prior to 1.047.2022, A05, contain a local privilege escalation vulnerability

CVE-2023-24575 7.8 - High - February 21, 2023

Dell Multifunction Printer E525w Driver and Software Suite, versions prior to 1.047.2022, A05, contain a local privilege escalation vulnerability that could be exploited by malicious users to compromise the affected system

Dell Secure Connect Gateway (SCG) version 5.14.00.12 contains a broken cryptographic algorithm vulnerability

CVE-2023-23695 5.9 - Medium - February 17, 2023

Dell Secure Connect Gateway (SCG) version 5.14.00.12 contains a broken cryptographic algorithm vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information.

Use of a Broken or Risky Cryptographic Algorithm

Dell EMC Unity versions before 5.2.0.0.5.173 , use(es) broken cryptographic algorithm

CVE-2022-22564 5.9 - Medium - February 14, 2023

Dell EMC Unity versions before 5.2.0.0.5.173 , use(es) broken cryptographic algorithm. A remote unauthenticated attacker could potentially exploit this vulnerability by performing MitM attacks and let attackers obtain sensitive information.

Use of a Broken or Risky Cryptographic Algorithm

Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 10.0.0.5 and below contains an authorization bypass vulnerability

CVE-2022-34397 5.7 - Medium - February 13, 2023

Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 10.0.0.5 and below contains an authorization bypass vulnerability, allowing users to perform actions in which they are not authorized.

AuthZ

Dell Command | Intel vPro Out of Band, versions before 4.4.0, contain an arbitrary folder delete vulnerability during uninstallation

CVE-2023-23697 3.3 - Low - February 13, 2023

Dell Command | Intel vPro Out of Band, versions before 4.4.0, contain an arbitrary folder delete vulnerability during uninstallation. A locally authenticated malicious user may potentially exploit this vulnerability leading to arbitrary folder deletion.

insecure temporary file

Dell Command | Integration Suite for System Center

CVE-2023-24572 3.3 - Low - February 13, 2023

Dell Command | Integration Suite for System Center, versions before 6.4.0 contain an arbitrary folder delete vulnerability during uninstallation. A locally authenticated malicious user may potentially exploit this vulnerability leading to arbitrary folder deletion.

insecure temporary file

Dell SupportAssist Client Consumer (version 3.11.1 and prior)

CVE-2022-34384 7.8 - High - February 11, 2023

Dell SupportAssist Client Consumer (version 3.11.1 and prior), SupportAssist Client Commercial (version 3.2 and prior), Dell Command | Update, Dell Update, and Alienware Update versions before 4.5 contain a Local Privilege Escalation Vulnerability in the Advanced Driver Restore component. A local malicious user may potentially exploit this vulnerability, leading to privilege escalation.

Improper Privilege Management

SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability

CVE-2022-34385 5.5 - Medium - February 11, 2023

SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.

Inadequate Encryption Strength

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability

CVE-2022-34386 5.5 - Medium - February 11, 2023

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.

Use of Hard-coded Credentials

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability

CVE-2022-34387 7.8 - High - February 11, 2023

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain a privilege escalation vulnerability. A local authenticated malicious user could potentially exploit this vulnerability to elevate privileges and gain total control of the system.

Exposure of Resource to Wrong Sphere

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability

CVE-2022-34388 7.1 - High - February 11, 2023

Dell SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain information disclosure vulnerability. A local malicious user with low privileges could exploit this vulnerability to view and modify sensitive information in the database of the affected application.

Cleartext Storage of Sensitive Information

Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component

CVE-2022-34389 5.3 - Medium - February 11, 2023

Dell SupportAssist contains a rate limit bypass issues in screenmeet API third party component. An unauthenticated attacker could potentially exploit this vulnerability and impersonate a legitimate dell customer to a dell support technician.

Improper Restriction of Excessive Authentication Attempts

SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability

CVE-2022-34392 5.5 - Medium - February 11, 2023

SupportAssist for Home PCs (versions 3.11.4 and prior) contain an insufficient session expiration Vulnerability. An authenticated non-admin user can be able to obtain the refresh token and that leads to reuse the access token and fetch sensitive information.

Insufficient Session Expiration

Dell System Update, version 2.0.0 and earlier, contains an Improper Certificate Validation in data parser module

CVE-2022-34404 6 - Medium - February 11, 2023

Dell System Update, version 2.0.0 and earlier, contains an Improper Certificate Validation in data parser module. A local attacker with high privileges could potentially exploit this vulnerability, leading to credential theft and/or denial of service.

Improper Certificate Validation

Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability

CVE-2022-34444 7.5 - High - February 11, 2023

Dell PowerScale OneFS, versions 9.2.0.x through 9.4.0.x contain an information vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to cause data leak.

Use of a Broken or Risky Cryptographic Algorithm

Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password

CVE-2022-34445 4.4 - Medium - February 11, 2023

Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.

Inadequate Encryption Strength

PowerPath Management Appliance with versions 3.3 & 3.2* contains Authorization Bypass vulnerability

CVE-2022-34446 8.1 - High - February 11, 2023

PowerPath Management Appliance with versions 3.3 & 3.2* contains Authorization Bypass vulnerability. An authenticated remote user with limited privileges (e.g., of role Monitoring) can exploit this issue and gain access to sensitive information, and modify the configuration.

authentification

Wyse Management Suite Repository 3.8 and below contain an information disclosure vulnerability

CVE-2022-46675 5.3 - Medium - February 11, 2023

Wyse Management Suite Repository 3.8 and below contain an information disclosure vulnerability. A unauthenticated attacker could potentially discover the internal structure of the application and its components and use this information for further vulnerability research.

Generation of Error Message Containing Sensitive Information

Wyse Management Suite 3.8 and below contain an improper access control vulnerability

CVE-2022-46676 4.9 - Medium - February 11, 2023

Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A malicious admin user can disable or delete users under administration and unassigned admins for which the group admin is not authorized.

Wyse Management Suite 3.8 and below contain an improper access control vulnerability with

CVE-2022-46677 4.9 - Medium - February 11, 2023

Wyse Management Suite 3.8 and below contain an improper access control vulnerability with which an custom group admin can create a subgroup under a group for which the admin is not authorized.

Wyse Management Suite 3.8 and below contain an improper access control vulnerability

CVE-2022-46678 4.9 - Medium - February 11, 2023

Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious admin user can edit general client policy for which the user is not authorized.

Wyse Management Suite 3.8 and below contain an improper access control vulnerability

CVE-2022-46754 6.5 - Medium - February 11, 2023

Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious admin user might access certain pro license features for which this admin is not authorized in order to configure user controlled external entities.

Wyse Management Suite 3.8 and below contain an improper access control vulnerability

CVE-2022-46755 4.9 - Medium - February 11, 2023

Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious admin user can edit general client policy for which the user is not authorized.

PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains OS Command Injection vulnerability

CVE-2022-34447 7.2 - High - February 11, 2023

PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains OS Command Injection vulnerability. An authenticated remote attacker with administrative privileges could potentially exploit the issue and execute commands on the system as the root user.

Shell injection

PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains a Cross-site Request Forgery vulnerability

CVE-2022-34448 8.8 - High - February 11, 2023

PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains a Cross-site Request Forgery vulnerability. An unauthenticated non-privileged user could potentially exploit the issue and perform any privileged state-changing actions.

Session Riding

PowerPath Management Appliance with versions 3.3 & 3.2* contains a Hardcoded Cryptographic Keys vulnerability

CVE-2022-34449 6 - Medium - February 11, 2023

PowerPath Management Appliance with versions 3.3 & 3.2* contains a Hardcoded Cryptographic Keys vulnerability. Authenticated admin users can exploit the issue that leads to view and modifying sensitive information stored in the application.

Use of Hard-coded Credentials

PowerPath Management Appliance with version 3.3 contains Privilege Escalation vulnerability

CVE-2022-34450 6.7 - Medium - February 11, 2023

PowerPath Management Appliance with version 3.3 contains Privilege Escalation vulnerability. An authenticated admin user could potentially exploit this issue and gain unrestricted control/code execution on the system as root.

PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains a Stored Cross-site Scripting Vulnerability

CVE-2022-34451 4.8 - Medium - February 11, 2023

PowerPath Management Appliance with versions 3.3 & 3.2*, 3.1 & 3.0* contains a Stored Cross-site Scripting Vulnerability. An authenticated admin user could potentially exploit this vulnerability, to hijack user sessions or trick a victim application user into unknowingly send arbitrary requests to the server.

XSS

Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain a command execution vulnerability

CVE-2022-45104 8.8 - High - February 11, 2023

Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain a command execution vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to execute arbitrary commands on the underlying system.

Shell injection

Dell BSAFE SSL-J when used in debug mode can reveal unnecessary information

CVE-2022-34364 4.4 - Medium - February 10, 2023

Dell BSAFE SSL-J when used in debug mode can reveal unnecessary information. An attacker could potentially exploit this vulnerability and have access to private information.

Exposure of Resource to Wrong Sphere

Dell SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability

CVE-2022-34366 6.5 - Medium - February 10, 2023

Dell SupportAssist for Home PCs (version 3.11.2 and prior) contain Overly Permissive Cross-domain Whitelist vulnerability. An authenticated non-admin user could potentially exploit the issue and obtain sensitive information.

Incorrect Comparison

Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities

CVE-2022-33934 4.8 - Medium - February 10, 2023

Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.

XSS

Dell Command | Update

CVE-2023-23698 7.1 - High - February 10, 2023

Dell Command | Update, Dell Update, and Alienware Update versions before 4.6.0 and 4.7.1 contain Insecure Operation on Windows Junction in the installer component. A local malicious user may potentially exploit this vulnerability leading to arbitrary file delete.

Dell Alienware Command Center versions 5.5.37.0 and prior contain an Improper Input validation vulnerability

CVE-2023-24569 7.8 - High - February 10, 2023

Dell Alienware Command Center versions 5.5.37.0 and prior contain an Improper Input validation vulnerability. A local authenticated malicious user could potentially send malicious input to a named pipe in order to elevate privileges on the system.

Improper Input Validation

Dell Command | Monitor versions prior to 10.9 contain an arbitrary folder delete vulnerability during uninstallation

CVE-2023-24573 7.1 - High - February 10, 2023

Dell Command | Monitor versions prior to 10.9 contain an arbitrary folder delete vulnerability during uninstallation. A locally authenticated malicious user may potentially exploit this vulnerability leading to arbitrary folder deletion.

PowerPath Management Appliance with versions 3.3, 3.2*, 3.1 & 3.0* contains sensitive information disclosure vulnerability

CVE-2022-34452 2.7 - Low - February 10, 2023

PowerPath Management Appliance with versions 3.3, 3.2*, 3.1 & 3.0* contains sensitive information disclosure vulnerability. An Authenticated admin user can able to exploit the issue and view sensitive information stored in the logs.

Exposure of Resource to Wrong Sphere

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a heap-based buffer overflow

CVE-2022-34454 6.7 - Medium - February 10, 2023

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a heap-based buffer overflow. A local privileged malicious user could potentially exploit this vulnerability, leading to system takeover. This impacts compliance mode clusters.

Memory Corruption

Dell Command Intel vPro Out of Band, versions prior to 4.3.1, contain an Improper Authorization vulnerability

CVE-2023-23696 7.8 - High - February 07, 2023

Dell Command Intel vPro Out of Band, versions prior to 4.3.1, contain an Improper Authorization vulnerability. A locally authenticated malicious users could potentially exploit this vulnerability in order to write arbitrary files to the system.

AuthZ

EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the NetWorker Client execution service (nsrexecd) irrespective of any auth used.

CVE-2023-24576 9.8 - Critical - February 03, 2023

EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the NetWorker Client execution service (nsrexecd) irrespective of any auth used.

Code Injection

Dell Enterprise SONiC OS

CVE-2023-24574 7.5 - High - February 02, 2023

Dell Enterprise SONiC OS, 3.5.3, 4.0.0, 4.0.1, 4.0.2, contains an "Uncontrolled Resource Consumption vulnerability" in authentication component. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to uncontrolled resource consumption by creating permanent home directories for unauthenticated users.

Resource Exhaustion

Dell PowerScale OneFS 9.0.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in cloudpool

CVE-2023-22573 5.5 - Medium - February 01, 2023

Dell PowerScale OneFS 9.0.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in cloudpool. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x contain an insertion of sensitive information into log file vulnerability in platform API of IPMI module

CVE-2023-22574 8.1 - High - February 01, 2023

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x contain an insertion of sensitive information into log file vulnerability in platform API of IPMI module. A low-privileged user with permission to read logs on the cluster could potentially exploit this vulnerability, leading to Information disclosure and denial of service.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x contain an insertion of sensitive information into log file vulnerability in celog

CVE-2023-22575 8.8 - High - February 01, 2023

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x contain an insertion of sensitive information into log file vulnerability in celog. A low privileges user could potentially exploit this vulnerability, leading to information disclosure and escalation of privileges.

Insertion of Sensitive Information into Log File

Dell EMC prior to version DDOS 7.9 contain(s) an OS command injection Vulnerability

CVE-2023-23692 8.8 - High - February 01, 2023

Dell EMC prior to version DDOS 7.9 contain(s) an OS command injection Vulnerability. An authenticated non admin attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application.

Shell injection

Dell PowerScale OneFS 9.1.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in change password api

CVE-2023-22572 7.8 - High - February 01, 2023

Dell PowerScale OneFS 9.1.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in change password api. A low privilege local attacker could potentially exploit this vulnerability, leading to system takeover.

Insertion of Sensitive Information into Log File

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability

CVE-2022-46756 6.7 - Medium - February 01, 2023

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

Exposure of Resource to Wrong Sphere

Dell OpenManage Server Administrator (OMSA) version 10.3.0.0 and earlier contains a DLL Injection Vulnerability

CVE-2022-34396 7.8 - High - February 01, 2023

Dell OpenManage Server Administrator (OMSA) version 10.3.0.0 and earlier contains a DLL Injection Vulnerability. A local low privileged authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary executable on the operating system with elevated privileges. Exploitation may lead to a complete system compromise.

DLL preloading

Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability

CVE-2022-45102 6.1 - Medium - February 01, 2023

Dell EMC Data Protection Central, versions 19.1 through 19.7, contains a Host Header Injection vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability by injecting arbitrary \u2018Host\u2019 header values to poison a web cache or trigger redirections.

Output Sanitization

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contains an Improper Certificate Validation vulnerability

CVE-2022-45100 9.8 - Critical - February 01, 2023

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contains an Improper Certificate Validation vulnerability. An remote unauthenticated attacker could potentially exploit this vulnerability, leading to a full compromise of the system.

Improper Certificate Validation

Dell PowerScale OneFS, versions 8.2.x-9.4.x, contain a weak encoding for a NDMP password

CVE-2022-45099 7.8 - High - February 01, 2023

Dell PowerScale OneFS, versions 8.2.x-9.4.x, contain a weak encoding for a NDMP password. A malicious and privileged local attacker could potentially exploit this vulnerability, leading to a full system compromise

Incorrect Default Permissions

Dell PowerScale OneFS 8.2.x, 9.0.0.x - 9.4.0.x, contain an insufficient resource pool vulnerability

CVE-2022-46679 7.5 - High - February 01, 2023

Dell PowerScale OneFS 8.2.x, 9.0.0.x - 9.4.0.x, contain an insufficient resource pool vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.

Dell PowerScale OneFS, 9.0.0.x-9.4.0.x, contain a cleartext storage of sensitive information vulnerability in S3 component

CVE-2022-45098 5.5 - Medium - February 01, 2023

Dell PowerScale OneFS, 9.0.0.x-9.4.0.x, contain a cleartext storage of sensitive information vulnerability in S3 component. An authenticated local attacker could potentially exploit this vulnerability, leading to information disclosure.

Cleartext Storage of Sensitive Information

Dell PowerScale OneFS, 8.2.0 through 9.3.0, contain an User Interface Security Issue

CVE-2022-45096 6.5 - Medium - February 01, 2023

Dell PowerScale OneFS, 8.2.0 through 9.3.0, contain an User Interface Security Issue. An unauthenticated remote user could unintentionally lead an administrator to enable this vulnerability, leading to disclosure of information.

Clickjacking

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x, contains an Improper Handling of Insufficient Privileges vulnerability in NFS

CVE-2022-45101 9.8 - Critical - February 01, 2023

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x, contains an Improper Handling of Insufficient Privileges vulnerability in NFS. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and remote execution.

Improper Privilege Management

Dell PowerScale OneFS 9.0.0.x-9.4.0.x contains an Incorrect User Management vulnerability

CVE-2022-45097 8.8 - High - February 01, 2023

Dell PowerScale OneFS 9.0.0.x-9.4.0.x contains an Incorrect User Management vulnerability. A low privileged network attacker could potentially exploit this vulnerability, leading to escalation of privileges, and information disclosure.

Incorrect Default Permissions

Dell PowerScale OneFS, 8.2.x-9.4.x, contain a command injection vulnerability

CVE-2022-45095 6.7 - Medium - February 01, 2023

Dell PowerScale OneFS, 8.2.x-9.4.x, contain a command injection vulnerability. An authenticated user having access local shell and having the privilege to gather logs from the cluster could potentially exploit this vulnerability, leading to execute arbitrary commands, denial of service, information disclosure, and data deletion.

Command Injection

Dell Command | Update

CVE-2022-34459 7.8 - High - February 01, 2023

Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.7 contain a improper verification of cryptographic signature in get applicable driver component. A local malicious user could potentially exploit this vulnerability leading to malicious payload execution.

Improper Verification of Cryptographic Signature

Dell Command | Update

CVE-2022-34458 5.5 - Medium - February 01, 2023

Dell Command | Update, Dell Update, and Alienware Update versions prior to 4.7 contain a Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in download operation component. A local malicious user could potentially exploit this vulnerability leading to the disclosure of confidential data.

Dell Rugged Control Center, versions prior to 4.5, contain an Improper Input Validation in the Service EndPoint

CVE-2022-34443 7.8 - High - February 01, 2023

Dell Rugged Control Center, versions prior to 4.5, contain an Improper Input Validation in the Service EndPoint. A Local Low Privilege attacker could potentially exploit this vulnerability, leading to an Escalation of privileges.

Improper Input Validation

Cloud Mobility for Dell EMC Storage, versions 1.3.0.X and below contains an Improper Check for Certificate Revocation vulnerability

CVE-2023-23690 7 - High - January 19, 2023

Cloud Mobility for Dell EMC Storage, versions 1.3.0.X and below contains an Improper Check for Certificate Revocation vulnerability. A threat actor does not need any specific privileges to potentially exploit this vulnerability. An attacker could perform a man-in-the-middle attack and eavesdrop on encrypted communications from Cloud Mobility to Cloud Storage devices. Exploitation could lead to the compromise of secret and sensitive information, cloud storage connection downtime, and the integrity of the connection to the Cloud devices.

Improper Certificate Validation

Dell Unisphere for PowerMax vApp

CVE-2022-45103 6.5 - Medium - January 18, 2023

Dell Unisphere for PowerMax vApp, VASA Provider vApp, and Solution Enabler vApp version 9.2.3.x contain an information disclosure vulnerability. A low privileged remote attacker could potentially exploit this vulnerability, leading to read arbitrary files on the underlying file system.

Information Disclosure

Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path

CVE-2022-34457 7.8 - High - January 18, 2023

Dell command configuration, version 4.8 and prior, contains improper folder permission when installed not to default path but to non-secured path which leads to privilege escalation. This is critical severity vulnerability as it allows non-admin to modify the files inside installed directory and able to make application unavailable for all users.

Exposure of Resource to Wrong Sphere

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability

CVE-2022-34442 9.8 - Critical - January 18, 2023

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability. An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain LDAP user privileges.

Use of Hard-coded Credentials

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability

CVE-2022-34462 7.8 - High - January 18, 2023

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a Hard-coded Password Vulnerability. An attacker, with the knowledge of the hard-coded credentials, could potentially exploit this vulnerability to login to the system to gain admin privileges.

Use of Hard-coded Credentials

Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability

CVE-2022-34456 8.8 - High - January 18, 2023

Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.

Code Injection

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability

CVE-2022-34441 9.8 - Critical - January 11, 2023

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability. An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain admin privileges.

Use of Hard-coded Credentials

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability

CVE-2022-34440 9.8 - Critical - January 11, 2023

Dell EMC SCG Policy Manager, versions from 5.10 to 5.12, contain(s) a contain a Hard-coded Cryptographic Key vulnerability. An attacker with the knowledge of the hard-coded sensitive information, could potentially exploit this vulnerability to login to the system to gain admin privileges.

Use of Hard-coded Credentials

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding

CVE-2020-5355 4.3 - Medium - October 21, 2022

The Dell Isilon OneFS versions 8.2.2 and earlier SSHD process improperly allows Transmission Control Protocol (TCP) and stream forwarding. This provides the remotesupport user and users with restricted shells more access than is intended.

Incorrect Default Permissions

Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability

CVE-2022-26870 9.8 - Critical - October 21, 2022

Dell PowerStore versions 2.1.0.x contain an Authentication bypass vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability under specific configuration. An attacker would gain unauthorized access upon successful exploit.

authentification

Dell PowerScale OneFS

CVE-2022-31239 4.4 - Medium - October 21, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, and 9.3.0.6, contain sensitive data in log files vulnerability. A privileged local user may potentially exploit this vulnerability, leading to disclosure of this sensitive data.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS, versions 8.2.2-9.3.0, contain an OS command injection vulnerability

CVE-2022-34437 6.7 - Medium - October 21, 2022

Dell PowerScale OneFS, versions 8.2.2-9.3.0, contain an OS command injection vulnerability. A privileged local malicious user could potentially exploit this vulnerability, leading to a full system compromise. This impacts compliance mode clusters.

Shell injection

Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error

CVE-2022-34438 6.7 - Medium - October 21, 2022

Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges could potentially exploit this vulnerability, leading to full system compromise. This impacts compliance mode clusters.

Improper Privilege Management

Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability

CVE-2022-34439 7.5 - High - October 21, 2022

Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

Allocation of Resources Without Limits or Throttling

Dell GeoDrive, Versions 1.0 - 2.2, contain a Path Traversal Vulnerability in the reporting function

CVE-2022-33937 7.1 - High - October 12, 2022

Dell GeoDrive, Versions 1.0 - 2.2, contain a Path Traversal Vulnerability in the reporting function. A local, low privileged attacker could potentially exploit this vulnerability, to gain unauthorized delete access to the files stored on the server filesystem, with the privileges of the GeoDrive service: NT AUTHORITY\SYSTEM.

Directory traversal

Dell GeoDrive, versions prior to 2.2, contains Insecure File and Folder Permissions vulnerabilities

CVE-2022-33922 7.8 - High - October 12, 2022

Dell GeoDrive, versions prior to 2.2, contains Insecure File and Folder Permissions vulnerabilities. A low privilege attacker could potentially exploit this vulnerability, leading to the execution of arbitrary code in the SYSTEM security context. Dell recommends customers to upgrade at the earliest opportunity.

Incorrect Default Permissions

Dell GeoDrive, versions prior to 2.2, contains Multiple DLL Hijacking Vulnerabilities

CVE-2022-33921 7.8 - High - October 12, 2022

Dell GeoDrive, versions prior to 2.2, contains Multiple DLL Hijacking Vulnerabilities. A low privilege attacker could potentially exploit this vulnerability, leading to the execution of arbitrary code in the SYSTEM security context.

DLL preloading

Dell GeoDrive, versions prior to 2.2, contains an Unquoted File Path vulnerability

CVE-2022-33920 7.8 - High - October 12, 2022

Dell GeoDrive, versions prior to 2.2, contains an Unquoted File Path vulnerability. A low privilege attacker could potentially exploit this vulnerability, leading to the execution of arbitrary code in the SYSTEM security context.

Unquoted Search Path or Element

Dell GeoDrive, Versions 2.1 - 2.2, contains an information disclosure vulnerability

CVE-2022-33918 5.5 - Medium - October 12, 2022

Dell GeoDrive, Versions 2.1 - 2.2, contains an information disclosure vulnerability. An authenticated non-admin user could potentially exploit this vulnerability and gain access to sensitive information.

Cleartext Storage of Sensitive Information

Dell GeoDrive, versions 2.1 - 2.2, contains an information disclosure vulnerability in GUI

CVE-2022-33919 7.8 - High - October 12, 2022

Dell GeoDrive, versions 2.1 - 2.2, contains an information disclosure vulnerability in GUI. An authenticated non-admin user could potentially exploit this vulnerability and view sensitive information.

Dell Container Storage Modules 1.2 contains an Improper Limitation of a Pathname to a Restricted Directory in goiscsi and gobrick libraries

CVE-2022-34426 8.8 - High - October 11, 2022

Dell Container Storage Modules 1.2 contains an Improper Limitation of a Pathname to a Restricted Directory in goiscsi and gobrick libraries which could lead to OS command injection. A remote unauthenticated attacker could exploit this vulnerability leading to unintentional access to path outside of restricted directory.

Directory traversal

Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database

CVE-2022-34434 6.7 - Medium - October 11, 2022

Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, leading to the modification or deletion of tables that are required for many of the core functionalities of Cloud Mobility. Exploitation may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.

AuthZ

Dell Container Storage Modules 1.2 contains an OS Command Injection in goiscsi and gobrick libraries

CVE-2022-34427 8.8 - High - October 11, 2022

Dell Container Storage Modules 1.2 contains an OS Command Injection in goiscsi and gobrick libraries. A remote unauthenticated attacker could exploit this vulnerability leading to modification of intended OS command execution.

Shell injection

Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI

CVE-2022-34430 7.5 - High - October 11, 2022

Dell Hybrid Client below 1.8 version contains a Zip Bomb Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.

XEE

Dell Hybrid Client below 1.8 version contains a guest user profile corruption vulnerability

CVE-2022-34431 6.5 - Medium - October 11, 2022

Dell Hybrid Client below 1.8 version contains a guest user profile corruption vulnerability. A WMS privilege attacker could potentially exploit this vulnerability, leading to DHC system not being accessible.

Dell Hybrid Client below 1.8 version contains a gedit vulnerability

CVE-2022-34432 8.2 - High - October 11, 2022

Dell Hybrid Client below 1.8 version contains a gedit vulnerability. A guest attacker could potentially exploit this vulnerability, allowing deletion of user and some system files and folders.

Dell Enterprise SONiC OS, 4.0.0, 4.0.1, contain a cryptographic key vulnerability in SSH

CVE-2022-34425 7.5 - High - October 10, 2022

Dell Enterprise SONiC OS, 4.0.0, 4.0.1, contain a cryptographic key vulnerability in SSH. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to unauthorized access to communication.

Use of Hard-coded Credentials

Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI

CVE-2022-34428 2.7 - Low - September 30, 2022

Dell Hybrid Client prior to version 1.8 contains a Regular Expression Denial of Service Vulnerability in the UI. An adversary with WMS group admin access could potentially exploit this vulnerability, leading to temporary denial-of-service.

Dell Hybrid Client below 1.8 version contains a Zip Slip Vulnerability in UI

CVE-2022-34429 7.1 - High - September 30, 2022

Dell Hybrid Client below 1.8 version contains a Zip Slip Vulnerability in UI. A guest privilege attacker could potentially exploit this vulnerability, leading to system files modification.

Directory traversal

Networking OS10, versions 10.5.1.x, 10.5.2.x, and 10.5.3.x contain a vulnerability

CVE-2022-34424 7.5 - High - September 28, 2022

Networking OS10, versions 10.5.1.x, 10.5.2.x, and 10.5.3.x contain a vulnerability that could allow an attacker to cause a system crash by running particular security scans.

Memory Corruption

Dell OS10, version 10.5.3.4, contains an Improper Certificate Validation vulnerability in Support Assist

CVE-2022-34394 3.7 - Low - September 28, 2022

Dell OS10, version 10.5.3.4, contains an Improper Certificate Validation vulnerability in Support Assist. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to unauthorized access to limited switch configuration data. The vulnerability could be leveraged by attackers to conduct man-in-the-middle attacks to gain access to the Support Assist information.

Improper Certificate Validation

Dell Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an information disclosure vulnerability

CVE-2022-29089 4.9 - Medium - September 28, 2022

Dell Networking OS10, versions prior to October 2021 with Smart Fabric Services enabled, contains an information disclosure vulnerability. A remote, unauthenticated attacker could potentially exploit this vulnerability by reverse engineering to retrieve sensitive information and access the REST API with admin privileges.

Insufficiently Protected Credentials

Dell Command Update

CVE-2022-34382 7.8 - High - September 02, 2022

Dell Command Update, Dell Update and Alienware Update versions prior to 4.6.0 contains a Local Privilege Escalation Vulnerability in the custom catalog configuration. A local malicious user may potentially exploit this vulnerability in order to elevate their privileges.

Improper Privilege Management

Dell PowerScale OneFS

CVE-2022-34378 5.5 - Medium - September 02, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3, contain a relative path traversal vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to denial of service.

Directory traversal

Dell PowerScale OneFS

CVE-2022-34371 9.8 - Critical - September 02, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.3, contain an unprotected transport of credentials vulnerability. A malicious unprivileged network attacker could potentially exploit this vulnerability, leading to full system compromise.

Cleartext Transmission of Sensitive Information

Dell PowerScale OneFS

CVE-2022-34369 7.5 - High - September 02, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3 , contain an insertion of sensitive information in log files vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to exposure of this sensitive data.

Insertion of Sensitive Information into Log File

Dell EMC CloudLink 7.1.2 and all prior versions contain an Authentication Bypass Vulnerability

CVE-2022-34379 9.8 - Critical - September 01, 2022

Dell EMC CloudLink 7.1.2 and all prior versions contain an Authentication Bypass Vulnerability. A remote attacker, with the knowledge of the active directory usernames, could potentially exploit this vulnerability to gain unauthorized access to the system.

authentification