Vulnerability-Lookup

CNVD-2022-88930

Vulnerability from cnvd - Published: 2022-12-17

Title

Cloud Mobility for Dell EMC Storage访问控制错误漏洞

Description

Cloud Mobility for Dell EMC Storage是美国戴尔（Dell）公司的一项支持在兼容的本地Dell EMC存储设备和公共云对象存储之间传输、存储和访问卷快照副本的功能。 Cloud Mobility for Dell EMC Storage 1.3.1之前版本存在访问控制错误漏洞，该漏洞源于在 Postgres数据库中包含不正确的访问控制洞，攻击者可利用漏洞导致修改或删除Cloud Mobility较多核心功能表。

Severity

中

Patch Name

Cloud Mobility for Dell EMC Storage访问控制错误漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.dell.com/support/kbdoc/en-vc/000203434/dsa-2022-264-cloud-mobility-for-dell-storage-security-update-for-an-insecure-database-vulnerability

Reference

https://www.dell.com/support/kbdoc/en-vc/000203434/dsa-2022-264-cloud-mobility-for-dell-storage-security-update-for-an-insecure-database-vulnerability

Impacted products

Name
DELL Cloud Mobility for Dell EMC Storage <1.3.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-34434",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2022-34434"
    }
  },
  "description": "Cloud Mobility for Dell EMC Storage\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u9879\u652f\u6301\u5728\u517c\u5bb9\u7684\u672c\u5730Dell EMC\u5b58\u50a8\u8bbe\u5907\u548c\u516c\u5171\u4e91\u5bf9\u8c61\u5b58\u50a8\u4e4b\u95f4\u4f20\u8f93\u3001\u5b58\u50a8\u548c\u8bbf\u95ee\u5377\u5feb\u7167\u526f\u672c\u7684\u529f\u80fd\u3002\n\nCloud Mobility for Dell EMC Storage 1.3.1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728 Postgres\u6570\u636e\u5e93\u4e2d\u5305\u542b\u4e0d\u6b63\u786e\u7684\u8bbf\u95ee\u63a7\u5236\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5bfc\u81f4\u4fee\u6539\u6216\u5220\u9664Cloud Mobility\u8f83\u591a\u6838\u5fc3\u529f\u80fd\u8868\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.dell.com/support/kbdoc/en-vc/000203434/dsa-2022-264-cloud-mobility-for-dell-storage-security-update-for-an-insecure-database-vulnerability",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-88930",
  "openTime": "2022-12-17",
  "patchDescription": "Cloud Mobility for Dell EMC Storage\u662f\u7f8e\u56fd\u6234\u5c14\uff08Dell\uff09\u516c\u53f8\u7684\u4e00\u9879\u652f\u6301\u5728\u517c\u5bb9\u7684\u672c\u5730Dell EMC\u5b58\u50a8\u8bbe\u5907\u548c\u516c\u5171\u4e91\u5bf9\u8c61\u5b58\u50a8\u4e4b\u95f4\u4f20\u8f93\u3001\u5b58\u50a8\u548c\u8bbf\u95ee\u5377\u5feb\u7167\u526f\u672c\u7684\u529f\u80fd\u3002\r\n\r\nCloud Mobility for Dell EMC Storage 1.3.1\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728 Postgres\u6570\u636e\u5e93\u4e2d\u5305\u542b\u4e0d\u6b63\u786e\u7684\u8bbf\u95ee\u63a7\u5236\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u6f0f\u6d1e\u5bfc\u81f4\u4fee\u6539\u6216\u5220\u9664Cloud Mobility\u8f83\u591a\u6838\u5fc3\u529f\u80fd\u8868\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cloud Mobility for Dell EMC Storage\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "DELL Cloud Mobility for Dell EMC Storage \u003c1.3.1"
  },
  "referenceLink": "https://www.dell.com/support/kbdoc/en-vc/000203434/dsa-2022-264-cloud-mobility-for-dell-storage-security-update-for-an-insecure-database-vulnerability",
  "serverity": "\u4e2d",
  "submitTime": "2022-10-13",
  "title": "Cloud Mobility for Dell EMC Storage\u8bbf\u95ee\u63a7\u5236\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2022-34434 (GCVE-0-2022-34434)

Vulnerability from cvelistv5 – Published: 2022-10-11 16:40 – Updated: 2025-05-19 16:54

Summary

Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, leading to the modification or deletion of tables that are required for many of the core functionalities of Cloud Mobility. Exploitation may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.

Severity ?

6.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-285 - Improper Authorization

Assigner

dell

References

URL

Tags

https://www.dell.com/support/kbdoc/en-vc/00020343…

Impacted products

	Vendor	Product	Version
	Dell	Cloud Mobility for Dell Storage	Affected: unspecified , < 1.3.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T09:07:16.343Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.dell.com/support/kbdoc/en-vc/000203434/dsa-2022-264-cloud-mobility-for-dell-storage-security-update-for-an-insecure-database-vulnerability"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-34434",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-19T16:53:58.937379Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-19T16:54:06.489Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Cloud Mobility for Dell Storage",
          "vendor": "Dell",
          "versions": [
            {
              "lessThan": "1.3.1",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2022-09-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains an Improper Access Control vulnerability within the Postgres database. A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, leading to the modification or deletion of tables that are required for many of the core functionalities of Cloud Mobility. Exploitation may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 6.7,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-10-11T00:00:00.000Z",
        "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
        "shortName": "dell"
      },
      "references": [
        {
          "url": "https://www.dell.com/support/kbdoc/en-vc/000203434/dsa-2022-264-cloud-mobility-for-dell-storage-security-update-for-an-insecure-database-vulnerability"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
    "assignerShortName": "dell",
    "cveId": "CVE-2022-34434",
    "datePublished": "2022-10-11T16:40:23.478Z",
    "dateReserved": "2022-06-23T00:00:00.000Z",
    "dateUpdated": "2025-05-19T16:54:06.489Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-88930

CVE-2022-34434 (GCVE-0-2022-34434)

Tags

Sightings

Nomenclature