CVE-2024-22459 - Vulnerability Details - OpenCVE

Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Elastic Cloud Storage

Configuration 1 [-]

OR	cpe:2.3:a:dell:elastic_cloud_storage::::::::
	cpe:2.3:a:dell:elastic_cloud_storage::::::::
	cpe:2.3:a:dell:elastic_cloud_storage::::::::

No data.

References

Link	Providers
https://www.dell.com/support/kbdoc/en-us/000222470/dsa-2024-078-security-update-for-dell-ecs-access-control-vulnerability

History

Tue, 04 Feb 2025 17:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Dell Dell elastic Cloud Storage
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:dell:elastic_cloud_storage::::::::
Vendors & Products		Dell Dell elastic Cloud Storage

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2024-02-28T08:22:43.778Z

Updated: 2024-08-15T19:32:45.701Z

Reserved: 2024-01-10T15:29:59.457Z

Link: CVE-2024-22459

Vulnrichment

Updated: 2024-08-01T22:43:34.995Z

NVD

Status : Analyzed

Published: 2024-02-28T09:15:43.877

Modified: 2025-02-04T17:26:52.583

Link: CVE-2024-22459

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22459", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "state": "PUBLISHED", "assignerShortName": "dell", "dateReserved": "2024-01-10T15:29:59.457Z", "datePublished": "2024-02-28T08:22:43.778Z", "dateUpdated": "2024-08-15T19:32:45.701Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "ECS", "vendor": "Dell", "versions": [{"lessThanOrEqual": "3.8.0.4", "status": "affected", "version": "3.8", "versionType": "semver"}, {"lessThanOrEqual": "3.7.0.6", "status": "affected", "version": "3.7", "versionType": "semver"}, {"lessThanOrEqual": "3.6.2.5", "status": "affected", "version": "3.6", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Amund Tenstad"}], "datePublic": "2024-02-26T06:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace"}], "value": "Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2024-02-28T08:23:57.807Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000222470/dsa-2024-078-security-update-for-dell-ecs-access-control-vulnerability"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.995Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.dell.com/support/kbdoc/en-us/000222470/dsa-2024-078-security-update-for-dell-ecs-access-control-vulnerability"}]}, {"affected": [{"vendor": "dell", "product": "elastic_cloud_storage", "cpes": ["cpe:2.3:a:dell:elastic_cloud_storage:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "3.8", "status": "affected", "lessThanOrEqual": "3.8.0.4", "versionType": "custom"}, {"version": "3.7", "status": "affected", "lessThanOrEqual": "3.7.0.6", "versionType": "custom"}, {"version": "3.6", "status": "affected", "lessThanOrEqual": "3.6.2.5", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-02-28T20:50:59.123504Z", "id": "CVE-2024-22459", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T19:32:45.701Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000222470/dsa-2024-078-security-update-for-dell-ecs-access-control-vulnerability", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:43:34.995Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-02-28T20:50:59.123504Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:dell:elastic_cloud_storage:*:*:*:*:*:*:*:*"], "vendor": "dell", "product": "elastic_cloud_storage", "versions": [{"status": "affected", "version": "3.8", "versionType": "custom", "lessThanOrEqual": "3.8.0.4"}, {"status": "affected", "version": "3.7", "versionType": "custom", "lessThanOrEqual": "3.7.0.6"}, {"status": "affected", "version": "3.6", "versionType": "custom", "lessThanOrEqual": "3.6.2.5"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-15T19:32:41.674Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Amund Tenstad"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Dell", "product": "ECS", "versions": [{"status": "affected", "version": "3.8", "versionType": "semver", "lessThanOrEqual": "3.8.0.4"}, {"status": "affected", "version": "3.7", "versionType": "semver", "lessThanOrEqual": "3.7.0.6"}, {"status": "affected", "version": "3.6", "versionType": "semver", "lessThanOrEqual": "3.6.2.5"}], "defaultStatus": "unaffected"}], "datePublic": "2024-02-26T06:30:00.000Z", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000222470/dsa-2024-078-security-update-for-dell-ecs-access-control-vulnerability", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace", "supportingMedia": [{"type": "text/html", "value": "Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284: Improper Access Control"}]}], "providerMetadata": {"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell", "dateUpdated": "2024-02-28T08:23:57.807Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22459", "state": "PUBLISHED", "dateUpdated": "2024-08-15T19:32:45.701Z", "dateReserved": "2024-01-10T15:29:59.457Z", "assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "datePublished": "2024-02-28T08:22:43.778Z", "assignerShortName": "dell"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:elastic_cloud_storage:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A759448-E920-4A63-B24A-3B7328283C9E", "versionEndExcluding": "3.6.2.6", "versionStartIncluding": "3.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:elastic_cloud_storage:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EEB001F-B60C-4143-BCB8-B2323F2817E6", "versionEndExcluding": "3.7.0.7", "versionStartIncluding": "3.7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:elastic_cloud_storage:*:*:*:*:*:*:*:*", "matchCriteriaId": "D2D106C1-6268-4005-A220-933C911AAC91", "versionEndExcluding": "3.8.0.5", "versionStartIncluding": "3.8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell ECS, versions 3.6 through 3.6.2.5, and 3.7 through 3.7.0.6, and 3.8 through 3.8.0.4 versions, contain an improper access control vulnerability. A remote high privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to all buckets and their data within a namespace"}, {"lang": "es", "value": "Dell ECS, versiones 3.6 a 3.6.2.5, 3.7 a 3.7.0.6 y 3.8 a 3.8.0.4, contienen una vulnerabilidad de control de acceso inadecuado. Un atacante remoto con altos privilegios podr\u00eda explotar esta vulnerabilidad, lo que llevar\u00eda a un acceso no autorizado a todos los dep\u00f3sitos y sus datos dentro de un espacio de nombres."}], "id": "CVE-2024-22459", "lastModified": "2025-02-04T17:26:52.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-28T09:15:43.877", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000222470/dsa-2024-078-security-update-for-dell-ecs-access-control-vulnerability"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000222470/dsa-2024-078-security-update-for-dell-ecs-access-control-vulnerability"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "security_alert@emc.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}