Lucene search

NetappCVELIST:CVE-2024-21985

HistoryJan 26, 2024 - 4:01 p.m.

CVE-2024-21985 Privilege Escalation Vulnerability in ONTAP 9

2024-01-2616:01:48

CWE-269

netapp

www.cve.org

ontap 9

vulnerability

privilege escalation

authenticated user

remote accounts

rest api

dos

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

7.7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.5%

JSON

ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10
and 9.13.1P4 are susceptible to a vulnerability which could allow an
authenticated user with multiple remote accounts with differing roles to
perform actions via REST API beyond their intended privilege. Possible
actions include viewing limited configuration details and metrics or
modifying limited settings, some of which could result in a Denial of
Service (DoS).

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "ONTAP 9",
    "vendor": "NetApp",
    "versions": [
      {
        "lessThan": "9.9.1P18",
        "status": "affected",
        "version": "9.0",
        "versionType": "patch"
      },
      {
        "lessThan": "9.10.1P16",
        "status": "affected",
        "version": "9.10.1",
        "versionType": "patch"
      },
      {
        "lessThan": "9.11.1P13",
        "status": "affected",
        "version": "9.11.1",
        "versionType": "patch"
      },
      {
        "lessThan": "9.12.1P10",
        "status": "affected",
        "version": "9.12.1",
        "versionType": "patch"
      },
      {
        "lessThan": "9.13.1P4",
        "status": "affected",
        "version": "9.13.1",
        "versionType": "patch"
      }
    ]
  }
]

References

security.netapp.com/advisory/ntap-20240126-0001/