FKIE_CVE-2019-3723

Vulnerability from fkie_nvd - Published: 2019-06-06 19:29 - Updated: 2024-11-21 04:42
Severity ?
9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.1 (Critical) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Summary
Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain a web parameter tampering vulnerability. A remote unauthenticated attacker could potentially manipulate parameters of web requests to OMSA to create arbitrary files with empty content or delete the contents of any existing file, due to improper input parameter validation
References
security_alert@emc.comhttp://www.securityfocus.com/bid/108685Third Party Advisory
security_alert@emc.comhttps://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=enVendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.securityfocus.com/bid/108685Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=enVendor Advisory
Impacted products
Vendor Product Version
dell emc_openmanage_server_administrator 9.1
dell emc_openmanage_server_administrator 9.1.0.1
dell emc_openmanage_server_administrator 9.1.0.2
dell emc_openmanage_server_administrator 9.2
dell emc_openmanage_server_administrator 9.2.0.1
dell emc_openmanage_server_administrator 9.2.0.2
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "27A15630-3C36-4160-99E2-76B8B29EC6E3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "F0464BDE-2461-4ECB-BA4E-4E92A80F6808",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.1.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C76D0E62-E7CB-43DE-90B4-FF92D4AFC9DE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3463683-F756-4581-A39C-24AA74982242",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "729D5479-F7ED-48DF-A206-62A2EAFFCF43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:dell:emc_openmanage_server_administrator:9.2.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C66F3E6-465A-4465-A686-0698E81062ED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Dell EMC OpenManage Server Administrator (OMSA) versions prior to 9.1.0.3 and prior to 9.2.0.4 contain a web parameter tampering vulnerability. A remote unauthenticated attacker could potentially manipulate parameters of web requests to OMSA to create arbitrary files with empty content or delete the contents of any existing file, due to improper input parameter validation"
    },
    {
      "lang": "es",
      "value": "Las versiones de Dell EMC OpenManage Server Administrator (OMSA) anteriores a 9.1.0.3 y anteriores a 9.2.0.4 contienen una vulnerabilidad de manipulaci\u00f3n de par\u00e1metros web. Un atacante remoto no identificado podr\u00eda potencialmente manipular los par\u00e1metros de las solicitudes web a OMSA para crear archivos arbitrarios con contenido vac\u00edo o eliminar el contenido de cualquier archivo existente, debido a una validaci\u00f3n incorrecta de los par\u00e1metros de entrada"
    }
  ],
  "id": "CVE-2019-3723",
  "lastModified": "2024-11-21T04:42:24.417",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.4,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 4.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "security_alert@emc.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-06-06T19:29:00.750",
  "references": [
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.securityfocus.com/bid/108685"
    },
    {
      "source": "security_alert@emc.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "http://www.securityfocus.com/bid/108685"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.dell.com/support/article/us/en/04/sln317441/dsa-2019-074-dell-emc-openmanage-server-administrator-multiple-vulnerabilities?lang=en"
    }
  ],
  "sourceIdentifier": "security_alert@emc.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.