CVE-2019-18582

18.03.2020, 19:15

Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.2 HIGH	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
dell	CNA	9.1 CRITICAL	NETWORK	LOW	HIGH	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 84%

Vendor	Product	Version
dell	emc_data_protection_advisor	6.3
dell	emc_data_protection_advisor	6.4
dell	emc_data_protection_advisor	6.5
dell	emc_data_protection_advisor	18.1
dell	emc_data_protection_advisor	18.2
dell	emc_data_protection_advisor	19.1
dell	emc_integrated_data_protection_appliance_firmware	2.0
dell	emc_integrated_data_protection_appliance_firmware	2.1
dell	emc_integrated_data_protection_appliance_firmware	2.2
dell	emc_integrated_data_protection_appliance_firmware	2.3
dell	emc_integrated_data_protection_appliance_firmware	2.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://www.dell.com/support/security/en-us/details/539430/DSA-2019-155-Dell-EMC-Data-Protection-Advisor-Security-Update-for-Multiple-Vulnerabilities