Lucene search

[email protected]CVE-2024-21985

HistoryJan 26, 2024 - 4:15 p.m.

CVE-2024-21985

2024-01-2616:15:22

CWE-269

[email protected]

web.nvd.nist.gov

ontap

vulnerability

cve

nvd

ontap 9

authentication

rest api

dos

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

7.4 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.5%

JSON

ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10
and 9.13.1P4 are susceptible to a vulnerability which could allow an
authenticated user with multiple remote accounts with differing roles to
perform actions via REST API beyond their intended privilege. Possible
actions include viewing limited configuration details and metrics or
modifying limited settings, some of which could result in a Denial of
Service (DoS).

Affected configurations

NVD

Node

netappclustered_data_ontapRange9.0–9.9.1

netappclustered_data_ontapRange9.10.0–9.10.1

netappclustered_data_ontapRange9.11.0–9.11.1

netappclustered_data_ontapRange9.12.0–9.12.1

netappclustered_data_ontapRange9.13.0–9.13.1

netappclustered_data_ontapMatch9.9.1-

netappclustered_data_ontapMatch9.10.1-

netappclustered_data_ontapMatch9.11.1-

netappclustered_data_ontapMatch9.12.1-

netappclustered_data_ontapMatch9.13.1-

CPENameOperatorVersion
netapp:clustered_data_ontapnetapp clustered data ontaplt9.9.1
netapp:clustered_data_ontapnetapp clustered data ontaplt9.10.1
netapp:clustered_data_ontapnetapp clustered data ontaplt9.11.1
netapp:clustered_data_ontapnetapp clustered data ontaplt9.12.1
netapp:clustered_data_ontapnetapp clustered data ontaplt9.13.1

CPE	Name	Operator	Version
netapp:clustered_data_ontap	netapp clustered data ontap	lt	9.9.1
netapp:clustered_data_ontap	netapp clustered data ontap	lt	9.10.1
netapp:clustered_data_ontap	netapp clustered data ontap	lt	9.11.1
netapp:clustered_data_ontap	netapp clustered data ontap	lt	9.12.1
netapp:clustered_data_ontap	netapp clustered data ontap	lt	9.13.1

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ONTAP 9",
    "vendor": "NetApp",
    "versions": [
      {
        "lessThan": "9.9.1P18",
        "status": "affected",
        "version": "9.0",
        "versionType": "patch"
      },
      {
        "lessThan": "9.10.1P16",
        "status": "affected",
        "version": "9.10.1",
        "versionType": "patch"
      },
      {
        "lessThan": "9.11.1P13",
        "status": "affected",
        "version": "9.11.1",
        "versionType": "patch"
      },
      {
        "lessThan": "9.12.1P10",
        "status": "affected",
        "version": "9.12.1",
        "versionType": "patch"
      },
      {
        "lessThan": "9.13.1P4",
        "status": "affected",
        "version": "9.13.1",
        "versionType": "patch"
      }
    ]
  }
]

References

security.netapp.com/advisory/ntap-20240126-0001/