Lucene search

DellCVE-2018-11077

HistoryNov 26, 2018 - 8:29 p.m.

CVE-2018-11077

2018-11-2620:29:00

CWE-78

dell

web.nvd.nist.gov

dell emc

avamar server

integrated data protection appliance

os command injection

vulnerability

cve-2018-11077

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

36.5%

JSON

‘getlogs’ utility in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1 and 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 is affected by an OS command injection vulnerability. A malicious Avamar admin user may potentially be able to execute arbitrary commands under root privilege.

Affected configurations

Nvd

Vulners

Node

dellemc_avamarMatch7.2.0

dellemc_avamarMatch7.2.1

dellemc_avamarMatch7.3.0

dellemc_avamarMatch7.3.1

dellemc_avamarMatch7.4.0

dellemc_avamarMatch7.4.1

dellemc_avamarMatch7.5.0

dellemc_avamarMatch7.5.1

dellemc_avamarMatch18.1

dellemc_integrated_data_protection_applianceMatch2.0

dellemc_integrated_data_protection_applianceMatch2.1

dellemc_integrated_data_protection_applianceMatch2.2

Node

vmwarevsphere_data_protectionMatch6.0.0

vmwarevsphere_data_protectionMatch6.0.1

vmwarevsphere_data_protectionMatch6.0.2

vmwarevsphere_data_protectionMatch6.0.3

vmwarevsphere_data_protectionMatch6.0.4

vmwarevsphere_data_protectionMatch6.0.5

vmwarevsphere_data_protectionMatch6.0.6

vmwarevsphere_data_protectionMatch6.0.7

vmwarevsphere_data_protectionMatch6.0.8

vmwarevsphere_data_protectionMatch6.1.0

vmwarevsphere_data_protectionMatch6.1.1

vmwarevsphere_data_protectionMatch6.1.2

vmwarevsphere_data_protectionMatch6.1.3

vmwarevsphere_data_protectionMatch6.1.4

vmwarevsphere_data_protectionMatch6.1.5

vmwarevsphere_data_protectionMatch6.1.6

vmwarevsphere_data_protectionMatch6.1.7

vmwarevsphere_data_protectionMatch6.1.8

vmwarevsphere_data_protectionMatch6.1.9

VendorProductVersionCPE
dellemc_avamar7.2.0cpe:2.3:a:dell:emc_avamar:7.2.0:*:*:*:*:*:*:*
dellemc_avamar7.2.1cpe:2.3:a:dell:emc_avamar:7.2.1:*:*:*:*:*:*:*
dellemc_avamar7.3.0cpe:2.3:a:dell:emc_avamar:7.3.0:*:*:*:*:*:*:*
dellemc_avamar7.3.1cpe:2.3:a:dell:emc_avamar:7.3.1:*:*:*:*:*:*:*
dellemc_avamar7.4.0cpe:2.3:a:dell:emc_avamar:7.4.0:*:*:*:*:*:*:*
dellemc_avamar7.4.1cpe:2.3:a:dell:emc_avamar:7.4.1:*:*:*:*:*:*:*
dellemc_avamar7.5.0cpe:2.3:a:dell:emc_avamar:7.5.0:*:*:*:*:*:*:*
dellemc_avamar7.5.1cpe:2.3:a:dell:emc_avamar:7.5.1:*:*:*:*:*:*:*
dellemc_avamar18.1cpe:2.3:a:dell:emc_avamar:18.1:*:*:*:*:*:*:*
dellemc_integrated_data_protection_appliance2.0cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
dell	emc_avamar	7.2.0	cpe:2.3:a:dell:emc_avamar:7.2.0:::::::*
dell	emc_avamar	7.2.1	cpe:2.3:a:dell:emc_avamar:7.2.1:::::::*
dell	emc_avamar	7.3.0	cpe:2.3:a:dell:emc_avamar:7.3.0:::::::*
dell	emc_avamar	7.3.1	cpe:2.3:a:dell:emc_avamar:7.3.1:::::::*
dell	emc_avamar	7.4.0	cpe:2.3:a:dell:emc_avamar:7.4.0:::::::*
dell	emc_avamar	7.4.1	cpe:2.3:a:dell:emc_avamar:7.4.1:::::::*
dell	emc_avamar	7.5.0	cpe:2.3:a:dell:emc_avamar:7.5.0:::::::*
dell	emc_avamar	7.5.1	cpe:2.3:a:dell:emc_avamar:7.5.1:::::::*
dell	emc_avamar	18.1	cpe:2.3:a:dell:emc_avamar:18.1:::::::*
dell	emc_integrated_data_protection_appliance	2.0	cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.0:::::::*

Rows per page:

1-10 of 311

CNA Affected

[
  {
    "product": "Avamar",
    "vendor": "Dell EMC",
    "versions": [
      {
        "status": "affected",
        "version": "7.2.0"
      },
      {
        "status": "affected",
        "version": "7.2.1"
      },
      {
        "status": "affected",
        "version": "7.3.0"
      },
      {
        "status": "affected",
        "version": "7.3.1"
      },
      {
        "status": "affected",
        "version": "7.4.0"
      },
      {
        "status": "affected",
        "version": "7.4.1"
      },
      {
        "status": "affected",
        "version": "7.5.0"
      },
      {
        "status": "affected",
        "version": "7.5.1"
      },
      {
        "status": "affected",
        "version": "18.1"
      }
    ]
  },
  {
    "product": "Integrated Data Protection Appliance",
    "vendor": "Dell EMC",
    "versions": [
      {
        "status": "affected",
        "version": "2.0"
      },
      {
        "status": "affected",
        "version": "2.1"
      },
      {
        "status": "affected",
        "version": "2.2"
      }
    ]
  }
]

References

www.securityfocus.com/bid/105971

www.securitytracker.com/id/1042153

seclists.org/fulldisclosure/2018/Nov/51

www.vmware.com/security/advisories/VMSA-2018-0029.html

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

6.7

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

36.5%

JSON

Related for CVE-2018-11077