Dell Emc Powerscale Onefs

Dell PowerScale OneFS 9.5 Improper Link Resolution (isi_gather_info)
CVE-2023-25940 7.8 - High - April 04, 2023

Dell PowerScale OneFS version 9.5.0.0 contains improper link resolution before file access vulnerability in isi_gather_info. A high privileged local attacker could potentially exploit this vulnerability, leading to system takeover and it breaks the compliance mode guarantees.

insecure temporary file

Dell PowerScale OneFS PrivEsc & DoS (8.2.x-9.5.0.x)
CVE-2023-25941 7.8 - High - April 04, 2023

Dell PowerScale OneFS versions 8.2.x-9.5.0.x contain an elevation of privilege vulnerability. A low-privileged local attacker could potentially exploit this vulnerability, leading to Denial of service, escalation of privileges, and information disclosure. This vulnerability breaks the compliance mode guarantee.

Incorrect Default Permissions

Uncontrolled Resource Consumption in SMB on Dell PowerScale OneFS 8.2-9.4 (DoS)
CVE-2023-25942 6.5 - Medium - April 04, 2023

Dell PowerScale OneFS versions 8.2.x-9.4.x contain an uncontrolled resource consumption vulnerability. A malicious network user with low privileges could potentially exploit this vulnerability in SMB, leading to a potential denial of service.

Improper Control of a Resource Through its Lifetime

Dell PowerScale OneFS 9.4.0.x Default Perm Flaw Lets Local User Overwrite Files
CVE-2023-25540 7.1 - High - February 28, 2023

Dell PowerScale OneFS 9.4.0.x contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability to overwrite arbitrary files causing denial of service.

Incorrect Default Permissions

Dell PowerScale OneFS <=9.4 CVE-2022-33934 Stored XSS in Fields
CVE-2022-33934 4.8 - Medium - February 10, 2023

Dell PowerScale OneFS, versions 8.2.x through 9.4.x contain multiple stored cross-site scripting vulnerabilities. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected fields.

XSS

Dell PowerScale OneFS heapbased buf overflow (v8.2.x9.3.x)
CVE-2022-34454 6.7 - Medium - February 10, 2023

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a heap-based buffer overflow. A local privileged malicious user could potentially exploit this vulnerability, leading to system takeover. This impacts compliance mode clusters.

Memory Corruption

Dell PowerScale OneFS 9.x-9.4.x CloudPool Log Injection Low Priv Local Exploit
CVE-2023-22573 5.5 - Medium - February 01, 2023

Dell PowerScale OneFS 9.0.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in cloudpool. A low privileged local attacker could potentially exploit this vulnerability, leading to sensitive information disclosure.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS 9.x IPMI API Log Disclosure
CVE-2023-22574 8.1 - High - February 01, 2023

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x contain an insertion of sensitive information into log file vulnerability in platform API of IPMI module. A low-privileged user with permission to read logs on the cluster could potentially exploit this vulnerability, leading to Information disclosure and denial of service.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS 9.x celog log injection CVE-2023-22575
CVE-2023-22575 8.8 - High - February 01, 2023

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x contain an insertion of sensitive information into log file vulnerability in celog. A low privileges user could potentially exploit this vulnerability, leading to information disclosure and escalation of privileges.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS 9.4.0.x Log Injection via Change Password API
CVE-2023-22572 7.8 - High - February 01, 2023

Dell PowerScale OneFS 9.1.0.x-9.4.0.x contain an insertion of sensitive information into log file vulnerability in change password api. A low privilege local attacker could potentially exploit this vulnerability, leading to system takeover.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS 8.2-9.3 ImpCertVal Vulnerability CVE-2022-45100
CVE-2022-45100 9.8 - Critical - February 01, 2023

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contains an Improper Certificate Validation vulnerability. An remote unauthenticated attacker could potentially exploit this vulnerability, leading to a full compromise of the system.

Improper Certificate Validation

Dell PowerScale OneFS NDMP Weak Password Encoding CVE-2022-45099
CVE-2022-45099 7.8 - High - February 01, 2023

Dell PowerScale OneFS, versions 8.2.x-9.4.x, contain a weak encoding for a NDMP password. A malicious and privileged local attacker could potentially exploit this vulnerability, leading to a full system compromise

Incorrect Default Permissions

Dell PowerScale OneFS 8.2.x-9.4.x DoS via Insufficient Rsc Pool
CVE-2022-46679 7.5 - High - February 01, 2023

Dell PowerScale OneFS 8.2.x, 9.0.0.x - 9.4.0.x, contain an insufficient resource pool vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.

Dell PowerScale OneFS S3 cleartext storage of sensitive info (9.0-9.4)
CVE-2022-45098 5.5 - Medium - February 01, 2023

Dell PowerScale OneFS, 9.0.0.x-9.4.0.x, contain a cleartext storage of sensitive information vulnerability in S3 component. An authenticated local attacker could potentially exploit this vulnerability, leading to information disclosure.

Cleartext Storage of Sensitive Information

Dell OneFS 9.0.0.x Incorrect User Mgr: Priv Esc & Info Disclosure
CVE-2022-45097 8.8 - High - February 01, 2023

Dell PowerScale OneFS 9.0.0.x-9.4.0.x contains an Incorrect User Management vulnerability. A low privileged network attacker could potentially exploit this vulnerability, leading to escalation of privileges, and information disclosure.

Dell PowerScale OneFS 8.2.0-9.3.0: Unauth Remote UI Disclosure
CVE-2022-45096 6.5 - Medium - February 01, 2023

Dell PowerScale OneFS, 8.2.0 through 9.3.0, contain an User Interface Security Issue. An unauthenticated remote user could unintentionally lead an administrator to enable this vulnerability, leading to disclosure of information.

Clickjacking

Dell PowerScale OneFS 8.2.x-9.4.x Cmd Injection via Local Shell
CVE-2022-45095 6.7 - Medium - February 01, 2023

Dell PowerScale OneFS, 8.2.x-9.4.x, contain a command injection vulnerability. An authenticated user having access local shell and having the privilege to gather logs from the cluster could potentially exploit this vulnerability, leading to execute arbitrary commands, denial of service, information disclosure, and data deletion.

Command Injection

NFS Privilege Escalation in Dell PowerScale OneFS 9.x (CVE-2022-45101)
CVE-2022-45101 9.8 - Critical - February 01, 2023

Dell PowerScale OneFS 9.0.0.x - 9.4.0.x, contains an Improper Handling of Insufficient Privileges vulnerability in NFS. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and remote execution.

Improper Privilege Management

Dell PowerScale OneFS 9.0-9.3.0.6 Log Sensitive Data Disclosure
CVE-2022-31239 4.4 - Medium - October 21, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, and 9.3.0.6, contain sensitive data in log files vulnerability. A privileged local user may potentially exploit this vulnerability, leading to disclosure of this sensitive data.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS 8.2.2-9.3.0 OS Command Injection in privileged local code
CVE-2022-34437 6.7 - Medium - October 21, 2022

Dell PowerScale OneFS, versions 8.2.2-9.3.0, contain an OS command injection vulnerability. A privileged local malicious user could potentially exploit this vulnerability, leading to a full system compromise. This impacts compliance mode clusters.

Shell injection

Dell PowerScale OneFS 8.2.x-9.4.0.x Privilege Escalation via Context Switching
CVE-2022-34438 6.7 - Medium - October 21, 2022

Dell PowerScale OneFS, versions 8.2.x-9.4.0.x, contain a privilege context switching error. A local authenticated malicious user with high privileges could potentially exploit this vulnerability, leading to full system compromise. This impacts compliance mode clusters.

Improper Privilege Management

Dell PowerScale OneFS 8.29.4: Resource Allocation DoS
CVE-2022-34439 7.5 - High - October 21, 2022

Dell PowerScale OneFS, versions 8.2.0.x-9.4.0.x contain allocation of Resources Without Limits or Throttling vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service and performance issue on that node.

Allocation of Resources Without Limits or Throttling

Low-Priviledge Local Rel Path Traversal in Dell PowerScale OneFS 9.0-9.4 DoS
CVE-2022-34378 5.5 - Medium - September 02, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3, contain a relative path traversal vulnerability. A low privileged local attacker could potentially exploit this vulnerability, leading to denial of service.

Directory traversal

Dell PowerScale OneFS <9.4.0.3: Unprotected Credential Transport (CVE-2022-34371)
CVE-2022-34371 9.8 - Critical - September 02, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.3, contain an unprotected transport of credentials vulnerability. A malicious unprivileged network attacker could potentially exploit this vulnerability, leading to full system compromise.

Insufficiently Protected Credentials

Dell PowerScale OneFS <9.4.0.3 Log Insertion Exposes Sensitive Data
CVE-2022-34369 7.5 - High - September 02, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.20, 9.2.1.13, 9.3.0.6, and 9.4.0.3 , contain an insertion of sensitive information in log files vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to exposure of this sensitive data.

Insertion of Sensitive Information into Log File

Dell PowerScale OneFS SyncIQ Improper Permission Preservation v9.2.0-9.3 (CVE-2022-31237)
CVE-2022-31237 3.3 - Low - August 22, 2022

Dell PowerScale OneFS, versions 9.2.0 up to and including 9.2.1.12 and 9.3.0.5 contain an improper preservation of permissions vulnerability in SyncIQ. A low privileged local attacker may potentially exploit this vulnerability, leading to limited information disclosure.

Improper Preservation of Permissions

Dell PowerScale OneFS 9.4.0.2: CLI Proc Invoked with Sens. Leads to Disclosure
CVE-2022-31238 5.5 - Medium - August 22, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain a process invoked with sensitive information vulnerability. A CLI user may potentially exploit this vulnerability, leading to information disclosure.

Information Disclosure

Dell PowerScale OneFS 9.x Insecure Init Info Disclosure
CVE-2022-32480 6.5 - Medium - August 22, 2022

Dell PowerScale OneFS, versions 9.0.0, up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an insecure default initialization of a resource vulnerability. A remote authenticated attacker may potentially exploit this vulnerability, leading to information disclosure.

Insecure Default Initialization of Resource

Unprotected Primary Channel in Dell PowerScale OneFS 9.0-9.4: Denial of Service
CVE-2022-33932 5.3 - Medium - August 22, 2022

Dell PowerScale OneFS, versions 9.0.0 up to and including 9.1.0.19, 9.2.1.12, 9.3.0.6, and 9.4.0.2, contain an unprotected primary channel vulnerability. An unauthenticated network malicious attacker may potentially exploit this vulnerability, leading to a denial of filesystem services.

Dell EMC PowerScale OneFS 8.1.x - 9.1.x contain hard coded credentials
CVE-2022-22560 5.5 - Medium - April 12, 2022

Dell EMC PowerScale OneFS 8.1.x - 9.1.x contain hard coded credentials. This allows a local user with knowledge of the credentials to login as the admin user to the backend ethernet switch of a PowerScale cluster. The attacker can exploit this vulnerability to take the switch offline.

Use of Hard-coded Credentials

Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability
CVE-2022-23163 5.5 - Medium - April 12, 2022

Dell PowerScale OneFS, 8.2,x, 9.1.0.x, 9.2.1.x, and 9.3.0.x contain a denial of service vulnerability. A local malicious user could potentially exploit this vulnerability, leading to denial of service/data unavailability.

Exposure of Resource to Wrong Sphere

Dell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability
CVE-2022-24411 7.8 - High - April 12, 2022

Dell PowerScale OneFS 8.2.2 and above contain an elevation of privilege vulnerability. A local attacker with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE could potentially exploit this vulnerability, leading to elevation of privilege. This could potentially allow users to circumvent PowerScale Compliance Mode guarantees.

Exposure of Resource to Wrong Sphere

Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability
CVE-2022-24412 7.5 - High - April 12, 2022

Dell EMC PowerScale OneFS 8.2.x - 9.3.0.x contain an improper handling of value vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to denial-of-service.

Dell PowerScale OneFS, versions 8.2.2-9.3.x, contain a time-of-check-to-time-of-use vulnerability
CVE-2022-24413 3.6 - Low - April 12, 2022

Dell PowerScale OneFS, versions 8.2.2-9.3.x, contain a time-of-check-to-time-of-use vulnerability. A local user with access to the filesystem could potentially exploit this vulnerability, leading to data loss.

TOCTTOU

Dell PowerScale OneFS, 8.2.x-9.3.x, contains a Improper Certificate Validation
CVE-2022-22549 8.1 - High - April 12, 2022

Dell PowerScale OneFS, 8.2.x-9.3.x, contains a Improper Certificate Validation. A unauthenticated remote attacker could potentially exploit this vulnerability, leading to a man-in-the-middle capture of administrative credentials.

Improper Certificate Validation

Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability
CVE-2022-22550 6.7 - Medium - April 12, 2022

Dell PowerScale OneFS, versions 8.2.2 and above, contain a password disclosure vulnerability. An unprivileged local attacker could potentially exploit this vulnerability, leading to account take over.

Insufficiently Protected Credentials

Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm
CVE-2022-22559 7.5 - High - April 12, 2022

Dell PowerScale OneFS, version 9.3.0, contains a use of a broken or risky cryptographic algorithm. An unprivileged network attacker could exploit this vulnerability, leading to the potential for information disclosure.

Use of a Broken or Risky Cryptographic Algorithm

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts
CVE-2022-22561 9.8 - Critical - April 12, 2022

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contain an improper restriction of excessive authentication attempts. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to compromised accounts.

Improper Restriction of Excessive Authentication Attempts

Dell PowerScale OneFS, versions 8.2.0-9.3.0, contain a improper handling of missing values exploit
CVE-2022-22562 7.5 - High - April 12, 2022

Dell PowerScale OneFS, versions 8.2.0-9.3.0, contain a improper handling of missing values exploit. An unauthenticated network attacker could potentially exploit this denial-of-service vulnerability.

Dell PowerScale OneFS, versions 9.0.0-9.3.0, contain an improper authorization of index containing sensitive information
CVE-2022-22565 3.8 - Low - April 12, 2022

Dell PowerScale OneFS, versions 9.0.0-9.3.0, contain an improper authorization of index containing sensitive information. An authenticated and privileged user could potentially exploit this vulnerability, leading to disclosure or modification of sensitive data.

Dell PowerScale OneFS, 8.2.2 - 9.3.0.x, contain a missing release of memory after effective lifetime vulnerability
CVE-2022-23159 6.5 - Medium - April 12, 2022

Dell PowerScale OneFS, 8.2.2 - 9.3.0.x, contain a missing release of memory after effective lifetime vulnerability. An authenticated user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE and ISI_PRIV_AUTH_PROVIDERS privileges could exploit this vulnerability, leading to a Denial-Of-Service. This can also impact a cluster in Compliance mode. Dell recommends to update at the earliest opportunity.

Memory Leak

Dell PowerScale OneFS, versions 8.2.0-9.3.0, contains an Improper Handling of Insufficient Permissions vulnerability
CVE-2022-23160 4.3 - Medium - April 12, 2022

Dell PowerScale OneFS, versions 8.2.0-9.3.0, contains an Improper Handling of Insufficient Permissions vulnerability. An remote malicious user could potentially exploit this vulnerability, leading to gaining write permissions on read-only files.

Improper Privilege Management

Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect
CVE-2022-23161 7.5 - High - April 12, 2022

Dell PowerScale OneFS versions 8.2.x - 9.3.0.x contain a denial-of-service vulnerability in SmartConnect. An unprivileged network attacker may potentially exploit this vulnerability, leading to denial-of-service.

Improper Handling of Exceptional Conditions

Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms
CVE-2022-26854 9.8 - Critical - April 08, 2022

Dell PowerScale OneFS, versions 8.2.x-9.2.x, contain risky cryptographic algorithms. A remote unprivileged malicious attacker could potentially exploit this vulnerability, leading to full system access

Use of a Broken or Risky Cryptographic Algorithm

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability
CVE-2022-26855 5.5 - Medium - April 08, 2022

Dell PowerScale OneFS, versions 8.2.x-9.3.0.x, contains an incorrect default permissions vulnerability. A local malicious user could potentially exploit this vulnerability, leading to a denial of service.

Incorrect Default Permissions

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator
CVE-2022-26852 9.8 - Critical - April 08, 2022

Dell PowerScale OneFS, versions 8.2.x-9.3.x, contain a predictable seed in pseudo-random number generator. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to an account compromise.

PRNG

Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability
CVE-2022-26851 9.1 - Critical - April 08, 2022

Dell PowerScale OneFS, 8.2.2-9.3.x, contains a predictable file name from observable state vulnerability. An unprivileged network attacker could potentially exploit this vulnerability, leading to data loss.

Use of Insufficiently Random Values

Dell PowerScale OneFS, versions 8.2.x, 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, and 9.3.0.x, contain an improper preservation of privileges
CVE-2022-24428 8.8 - High - April 08, 2022

Dell PowerScale OneFS, versions 8.2.x, 9.0.0.x, 9.1.0.x, 9.2.0.x, 9.2.1.x, and 9.3.0.x, contain an improper preservation of privileges. A remote filesystem user with a local account could potentially exploit this vulnerability, leading to an escalation of file privileges and information disclosure.

Improper Preservation of Permissions

Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd
CVE-2022-22563 4.4 - Medium - April 08, 2022

Dell EMC Powerscale OneFS 8.2.x - 9.2.x omit security-relevant information in /etc/master.passwd. A high-privileged user can exploit this vulnerability to not record information identifying the source of account information changes.

Dell PowerScale OneFS version 8.1.2 contains a sensitive information exposure vulnerability
CVE-2021-21561 5.5 - Medium - November 23, 2021

Dell PowerScale OneFS version 8.1.2 contains a sensitive information exposure vulnerability. This would allow a malicious user with ISI_PRIV_LOGIN_SSH and/or ISI_PRIV_LOGIN_CONSOLE privileges to gain access to sensitive information in the log files.

Insertion of Sensitive Information into Log File