CVE-2022-29085

Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.

CVSS v3 6.4 MEDIUM
CVSS v2.0 4.6 MEDIUM

6.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.5 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.dell.com/support/kbdoc/000199050	Vendor Advisory
https://www.dell.com/support/kbdoc/000199050	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dell:unity_operating_environment::::::::
	cpe:2.3:a:dell:unity_xt_operating_environment::::::::
	cpe:2.3:a:dell:unityvsa_operating_environment::::::::

History

No history.

Information

Published : 2022-06-02 21:15

Updated : 2024-11-21 06:58

NVD link : CVE-2022-29085

Mitre link : CVE-2022-29085

CVE.ORG link : CVE-2022-29085

JSON object : View

Products Affected

dell

unityvsa_operating_environment
unity_xt_operating_environment
unity_operating_environment

CWE

CWE-256

Plaintext Storage of a Password

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2022-29085", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}]}, "published": "2022-06-02T21:15:07.880", "references": [{"url": "https://www.dell.com/support/kbdoc/000199050", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}, {"url": "https://www.dell.com/support/kbdoc/000199050", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-256"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user."}, {"lang": "es", "value": "Dell Unity, Dell UnityVSA y Dell Unity XT versiones anteriores a la 5.2.0.0.5.173 contienen una vulnerabilidad en el almacenamiento de contrase\u00f1as de texto plano cuando son ejecutados determinadas herramientas fuera de la matriz en el sistema. Las credenciales de un usuario con altos privilegios son almacenadas en texto plano. Un usuario local malicioso con altos privilegios puede usar la contrase\u00f1a expuesta para conseguir acceso con los privilegios del usuario comprometido"}], "lastModified": "2024-11-21T06:58:27.610", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:unity_operating_environment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4855E724-3CDB-403C-990A-BC40D11F164C", "versionEndExcluding": "5.2.0.0.5.173"}, {"criteria": "cpe:2.3:a:dell:unity_xt_operating_environment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F60B8C6-8F5B-4E0C-BAFD-764F24200CDA", "versionEndExcluding": "5.2.0.0.5.173"}, {"criteria": "cpe:2.3:a:dell:unityvsa_operating_environment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA1CEA94-0334-4783-BB4B-8863BFEFB7B6", "versionEndExcluding": "5.2.0.0.5.173"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}