CVE-2024-22454

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

Dell PowerProtect Data Manager, version 19.15 and prior versions, contain a weak password recovery mechanism for forgotten passwords. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000222025/dsa-2024-061-dell-power-protect-data-manager-update-for-multiple-security-vulnerabilities	Patch Vendor Advisory
https://www.dell.com/support/kbdoc/en-us/000222025/dsa-2024-061-dell-power-protect-data-manager-update-for-multiple-security-vulnerabilities	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dell:powerprotect_data_manager:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:56

Type	Values Removed	Values Added
References	~~() https://www.dell.com/support/kbdoc/en-us/000222025/dsa-2024-061-dell-power-protect-data-manager-update-for-multiple-security-vulnerabilities - Patch, Vendor Advisory~~	() https://www.dell.com/support/kbdoc/en-us/000222025/dsa-2024-061-dell-power-protect-data-manager-update-for-multiple-security-vulnerabilities - Patch, Vendor Advisory

Information

Published : 2024-02-13 08:16

Updated : 2024-11-21 08:56

NVD link : CVE-2024-22454

Mitre link : CVE-2024-22454

CVE.ORG link : CVE-2024-22454

JSON object : View

Products Affected

powerprotect_data_manager

CWE

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

{"id": "CVE-2024-22454", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2024-02-13T08:16:35.993", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000222025/dsa-2024-061-dell-power-protect-data-manager-update-for-multiple-security-vulnerabilities", "tags": ["Patch", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://www.dell.com/support/kbdoc/en-us/000222025/dsa-2024-061-dell-power-protect-data-manager-update-for-multiple-security-vulnerabilities", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-640"}]}], "descriptions": [{"lang": "en", "value": "\nDell PowerProtect Data Manager, version 19.15 and prior versions, contain a weak password recovery mechanism for forgotten passwords. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change\n\n"}, {"lang": "es", "value": "Dell PowerProtect Data Manager, versi\u00f3n 19.15 y versiones anteriores, contienen un mecanismo de recuperaci\u00f3n de contrase\u00f1as d\u00e9bil para contrase\u00f1as olvidadas. Un atacante remoto no autenticado podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda un acceso no autorizado a la aplicaci\u00f3n con privilegios de la cuenta comprometida. El atacante podr\u00eda recuperar el token de restablecimiento de contrase\u00f1a sin autorizaci\u00f3n y luego realizar el cambio de contrase\u00f1a."}], "lastModified": "2024-11-21T08:56:19.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:powerprotect_data_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "497410EB-0DE3-4C13-A2EE-C49136E12B33", "versionEndIncluding": "19.15"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}