CVE-2024-21985

ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 
and 9.13.1P4 are susceptible to a vulnerability which could allow an 
authenticated user with multiple remote accounts with differing roles to
 perform actions via REST API beyond their intended privilege. Possible 
actions include viewing limited configuration details and metrics or 
modifying limited settings, some of which could result in a Denial of 
Service (DoS).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
netappCNA
7.6 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
VendorProductVersion
netappclustered_data_ontap
9.0 ≤
𝑥
< 9.9.1
netappclustered_data_ontap
9.10.0 ≤
𝑥
< 9.10.1
netappclustered_data_ontap
9.11.0 ≤
𝑥
< 9.11.1
netappclustered_data_ontap
9.12.0 ≤
𝑥
< 9.12.1
netappclustered_data_ontap
9.13.0 ≤
𝑥
< 9.13.1
netappclustered_data_ontap
9.9.1
netappclustered_data_ontap
9.10.1
netappclustered_data_ontap
9.11.1
netappclustered_data_ontap
9.12.1
netappclustered_data_ontap
9.13.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://security.netapp.com/advisory/ntap-20240126-0001/
https://security.netapp.com/advisory/ntap-20240126-0001/