Action not permitted
Modal body text goes here.
Modal Title
Modal Body
WID-SEC-W-2025-1248
Vulnerability from csaf_certbund - Published: 2025-06-04 22:00 - Updated: 2025-06-04 22:00Summary
HPE StoreOnce: Mehrere Schwachstellen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
HPE StoreOnce ist eine Datensicherungs- und Deduplizierungslösung für effiziente und skalierbare Backup- und Wiederherstellungsfunktionen für hybride IT-Umgebungen
Angriff
Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in HPE StoreOnce ausnutzen, um beliebigen Programmcode auszuführen, Informationen auszuspähen, Sicherheitsvorkehrungen zu umgehen umgehen oder Dateien zu manipulieren.
Betroffene Betriebssysteme
- Sonstiges
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "HPE StoreOnce ist eine Datensicherungs- und Deduplizierungsl\u00f6sung f\u00fcr effiziente und skalierbare Backup- und Wiederherstellungsfunktionen f\u00fcr hybride IT-Umgebungen",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in HPE StoreOnce ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Informationen auszusp\u00e4hen, Sicherheitsvorkehrungen zu umgehen umgehen oder Dateien zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1248 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1248.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1248 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1248"
},
{
"category": "external",
"summary": "HPE Security Bulletin vom 2025-06-04",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
},
{
"category": "external",
"summary": "ZDI Advisory vom 2025-06-04",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-312/"
},
{
"category": "external",
"summary": "ZDI Advisory vom 2025-06-04",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-313/"
},
{
"category": "external",
"summary": "ZDI Advisory vom 2025-06-04",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-314/"
},
{
"category": "external",
"summary": "ZDI Advisory vom 2025-06-04",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-315/"
},
{
"category": "external",
"summary": "ZDI Advisory vom 2025-06-04",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-316/"
},
{
"category": "external",
"summary": "ZDI Advisory vom 2025-06-04",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-317/"
},
{
"category": "external",
"summary": "ZDI Advisory vom 2025-06-04",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-318/"
},
{
"category": "external",
"summary": "ZDI Advisory vom 2025-06-04",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-319/"
}
],
"source_lang": "en-US",
"title": "HPE StoreOnce: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-06-04T22:00:00.000+00:00",
"generator": {
"date": "2025-06-05T11:11:15.661+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-1248",
"initial_release_date": "2025-06-04T22:00:00.000+00:00",
"revision_history": [
{
"date": "2025-06-04T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.3.11",
"product": {
"name": "HPE StoreOnce \u003c4.3.11",
"product_id": "T044394"
}
},
{
"category": "product_version",
"name": "4.3.11",
"product": {
"name": "HPE StoreOnce 4.3.11",
"product_id": "T044394-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:hpe:storeonce:4.3.11"
}
}
}
],
"category": "product_name",
"name": "storeonce"
}
],
"category": "vendor",
"name": "hpe"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-37089",
"product_status": {
"known_affected": [
"T044394"
]
},
"release_date": "2025-06-04T22:00:00.000+00:00",
"title": "CVE-2025-37089"
},
{
"cve": "CVE-2025-37090",
"product_status": {
"known_affected": [
"T044394"
]
},
"release_date": "2025-06-04T22:00:00.000+00:00",
"title": "CVE-2025-37090"
},
{
"cve": "CVE-2025-37091",
"product_status": {
"known_affected": [
"T044394"
]
},
"release_date": "2025-06-04T22:00:00.000+00:00",
"title": "CVE-2025-37091"
},
{
"cve": "CVE-2025-37092",
"product_status": {
"known_affected": [
"T044394"
]
},
"release_date": "2025-06-04T22:00:00.000+00:00",
"title": "CVE-2025-37092"
},
{
"cve": "CVE-2025-37093",
"product_status": {
"known_affected": [
"T044394"
]
},
"release_date": "2025-06-04T22:00:00.000+00:00",
"title": "CVE-2025-37093"
},
{
"cve": "CVE-2025-37094",
"product_status": {
"known_affected": [
"T044394"
]
},
"release_date": "2025-06-04T22:00:00.000+00:00",
"title": "CVE-2025-37094"
},
{
"cve": "CVE-2025-37095",
"product_status": {
"known_affected": [
"T044394"
]
},
"release_date": "2025-06-04T22:00:00.000+00:00",
"title": "CVE-2025-37095"
},
{
"cve": "CVE-2025-37096",
"product_status": {
"known_affected": [
"T044394"
]
},
"release_date": "2025-06-04T22:00:00.000+00:00",
"title": "CVE-2025-37096"
}
]
}
CVE-2025-37094 (GCVE-0-2025-37094)
Vulnerability from cvelistv5 – Published: 2025-06-02 14:02 – Updated: 2025-06-02 15:53
VLAI?
EPSS
Summary
A directory traversal arbitrary file deletion vulnerability exists in HPE StoreOnce Software.
Severity ?
5.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE StoreOnce Software |
Affected:
0 , < 4.3.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T15:53:50.369876Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:53:54.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HPE StoreOnce Software",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThan": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A directory traversal arbitrary file deletion vulnerability\u0026nbsp;exists in HPE StoreOnce Software."
}
],
"value": "A directory traversal arbitrary file deletion vulnerability\u00a0exists in HPE StoreOnce Software."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T14:02:13.590Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37094",
"datePublished": "2025-06-02T14:02:13.590Z",
"dateReserved": "2025-04-16T01:28:25.363Z",
"dateUpdated": "2025-06-02T15:53:54.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37092 (GCVE-0-2025-37092)
Vulnerability from cvelistv5 – Published: 2025-06-02 13:53 – Updated: 2025-06-03 03:55
VLAI?
EPSS
Summary
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE StoreOnce Software |
Affected:
0 , < 4.3.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37092",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T03:55:21.693Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HPE StoreOnce Software",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThan": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command injection remote code execution vulnerability exists in HPE StoreOnce Software."
}
],
"value": "A command injection remote code execution vulnerability exists in HPE StoreOnce Software."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T14:05:30.329Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37092",
"datePublished": "2025-06-02T13:53:14.814Z",
"dateReserved": "2025-04-16T01:28:25.363Z",
"dateUpdated": "2025-06-03T03:55:21.693Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37096 (GCVE-0-2025-37096)
Vulnerability from cvelistv5 – Published: 2025-06-02 14:18 – Updated: 2025-06-03 03:55
VLAI?
EPSS
Summary
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE StoreOnce Software |
Affected:
0 , < 4.3.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T03:55:23.788Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HPE StoreOnce Software",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThan": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command injection remote code execution vulnerability exists in HPE StoreOnce Software."
}
],
"value": "A command injection remote code execution vulnerability exists in HPE StoreOnce Software."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T14:18:10.669Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37096",
"datePublished": "2025-06-02T14:18:10.669Z",
"dateReserved": "2025-04-16T01:28:25.363Z",
"dateUpdated": "2025-06-03T03:55:23.788Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37089 (GCVE-0-2025-37089)
Vulnerability from cvelistv5 – Published: 2025-06-02 13:21 – Updated: 2025-06-03 03:55
VLAI?
EPSS
Summary
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE StoreOnce Software |
Affected:
0 , < 4.3.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T03:55:19.569Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HPE StoreOnce Software",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThan": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command injection remote code execution vulnerability exists in HPE StoreOnce Software."
}
],
"value": "A command injection remote code execution vulnerability exists in HPE StoreOnce Software."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T14:11:17.992Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37089",
"datePublished": "2025-06-02T13:21:24.852Z",
"dateReserved": "2025-04-16T01:28:25.362Z",
"dateUpdated": "2025-06-03T03:55:19.569Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37093 (GCVE-0-2025-37093)
Vulnerability from cvelistv5 – Published: 2025-06-02 13:56 – Updated: 2025-06-03 03:55
VLAI?
EPSS
Summary
An authentication bypass vulnerability exists in HPE StoreOnce Software.
Severity ?
9.8 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE StoreOnce Software |
Affected:
0 , < 4.3.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37093",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T03:55:22.726Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HPE StoreOnce Software",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThan": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An authentication bypass vulnerability\u0026nbsp;exists in HPE StoreOnce Software.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "An authentication bypass vulnerability\u00a0exists in HPE StoreOnce Software."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T14:03:35.668Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37093",
"datePublished": "2025-06-02T13:56:18.942Z",
"dateReserved": "2025-04-16T01:28:25.363Z",
"dateUpdated": "2025-06-03T03:55:22.726Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37090 (GCVE-0-2025-37090)
Vulnerability from cvelistv5 – Published: 2025-06-02 13:26 – Updated: 2025-06-02 15:46
VLAI?
EPSS
Summary
A server-side request forgery vulnerability exists in HPE StoreOnce Software.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE StoreOnce Software |
Affected:
0 , < 4.3.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T13:37:15.317023Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:46:56.756Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HPE StoreOnce Software",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThan": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A server-side request forgery vulnerability\u0026nbsp;exists in HPE StoreOnce Software."
}
],
"value": "A server-side request forgery vulnerability\u00a0exists in HPE StoreOnce Software."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T14:10:22.668Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37090",
"datePublished": "2025-06-02T13:26:46.823Z",
"dateReserved": "2025-04-16T01:28:25.362Z",
"dateUpdated": "2025-06-02T15:46:56.756Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37091 (GCVE-0-2025-37091)
Vulnerability from cvelistv5 – Published: 2025-06-02 13:31 – Updated: 2025-06-03 03:55
VLAI?
EPSS
Summary
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE StoreOnce Software |
Affected:
0 , < 4.3.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37091",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-03T03:55:20.643Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HPE StoreOnce Software",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThan": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command injection remote code execution vulnerability\u0026nbsp;exists in HPE StoreOnce Software."
}
],
"value": "A command injection remote code execution vulnerability\u00a0exists in HPE StoreOnce Software."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T14:08:44.120Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37091",
"datePublished": "2025-06-02T13:31:54.938Z",
"dateReserved": "2025-04-16T01:28:25.362Z",
"dateUpdated": "2025-06-03T03:55:20.643Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-37095 (GCVE-0-2025-37095)
Vulnerability from cvelistv5 – Published: 2025-06-02 14:14 – Updated: 2025-06-02 15:47
VLAI?
EPSS
Summary
A directory traversal information disclosure vulnerability exists in HPE StoreOnce Software.
Severity ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE StoreOnce Software |
Affected:
0 , < 4.3.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37095",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-02T14:23:16.154218Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T15:47:41.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HPE StoreOnce Software",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThan": "4.3.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A directory traversal information disclosure vulnerability\u0026nbsp;exists in HPE StoreOnce Software."
}
],
"value": "A directory traversal information disclosure vulnerability\u00a0exists in HPE StoreOnce Software."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-02T14:14:51.450Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us\u0026docLocale=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37095",
"datePublished": "2025-06-02T14:14:51.450Z",
"dateReserved": "2025-04-16T01:28:25.363Z",
"dateUpdated": "2025-06-02T15:47:41.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…