DSA-2022-003: Dell EMC AppSync Security Update for Multiple Vulnerabilities

Sommario

Articolo dettagliato

Impatto

Dettagli

Prodotti interessati e correzione

Cronologia delle revisioni

Informazioni correlate

Dichiarazione di non responsabilità

Prodotti interessati

Inserisci commento

Riepilogo: Dell EMC AppSync remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Questo articolo si applica a Questo articolo non si applica a Questo articolo non è legato a un prodotto specifico. Non tutte le versioni del prodotto sono identificate in questo articolo.

Scopri le altre risorse

Impatto

High

Dettagli

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-22551	Dell EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker may potentially exploit this vulnerability, and hijack the victim session.	8.3	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CVE-2022-22552	Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker may potentially exploit this vulnerability to trick the victim into executing state changing operations.	6.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:H
CVE-2022-22553	Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that may be exploited from UI and CLI. An adjacent unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Third-party Component	CVEs	More information
RESTEasy 3.0.10.Final	CVE-2016-9606	https://nvd.nist.gov/vuln/detail/CVE-2016-9606
	CVE-2020-1695	https://nvd.nist.gov/vuln/detail/CVE-2020-1695
	CVE-2020-25724	https://nvd.nist.gov/vuln/detail/CVE-2020-25724
	CVE-2020-14326	https://nvd.nist.gov/vuln/detail/CVE-2020-14326
	CVE-2017-7561	https://nvd.nist.gov/vuln/detail/CVE-2017-7561
	CVE-2016-6346	https://nvd.nist.gov/vuln/detail/CVE-2016-6346
	CVE-2020-10688	https://nvd.nist.gov/vuln/detail/CVE-2020-10688
	CVE-2021-20293	https://nvd.nist.gov/vuln/detail/CVE-2021-20293
	CVE-2020-25633	https://nvd.nist.gov/vuln/detail/CVE-2020-25633
	CVE-2021-20289	https://nvd.nist.gov/vuln/detail/CVE-2021-20289
Simple-XML 2.4.1	CVE-2017-1000190	https://nvd.nist.gov/vuln/detail/CVE-2017-1000190

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-22551	Dell EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker may potentially exploit this vulnerability, and hijack the victim session.	8.3	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CVE-2022-22552	Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker may potentially exploit this vulnerability to trick the victim into executing state changing operations.	6.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:H
CVE-2022-22553	Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that may be exploited from UI and CLI. An adjacent unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Third-party Component	CVEs	More information
RESTEasy 3.0.10.Final	CVE-2016-9606	https://nvd.nist.gov/vuln/detail/CVE-2016-9606
	CVE-2020-1695	https://nvd.nist.gov/vuln/detail/CVE-2020-1695
	CVE-2020-25724	https://nvd.nist.gov/vuln/detail/CVE-2020-25724
	CVE-2020-14326	https://nvd.nist.gov/vuln/detail/CVE-2020-14326
	CVE-2017-7561	https://nvd.nist.gov/vuln/detail/CVE-2017-7561
	CVE-2016-6346	https://nvd.nist.gov/vuln/detail/CVE-2016-6346
	CVE-2020-10688	https://nvd.nist.gov/vuln/detail/CVE-2020-10688
	CVE-2021-20293	https://nvd.nist.gov/vuln/detail/CVE-2021-20293
	CVE-2020-25633	https://nvd.nist.gov/vuln/detail/CVE-2020-25633
	CVE-2021-20289	https://nvd.nist.gov/vuln/detail/CVE-2021-20289
Simple-XML 2.4.1	CVE-2017-1000190	https://nvd.nist.gov/vuln/detail/CVE-2017-1000190

Dell Technologies raccomanda a tutti i clienti di prendere in considerazione sia il punteggio base CVSS, sia ogni eventuale punteggio temporale o ambientale che possa avere effetti sul livello di gravità potenziale associato a una specifica vulnerabilità di sicurezza.

Prodotti interessati e correzione

Product	Affected Versions	Updated Versions	Link to Update
Dell EMC AppSync	Versions before 4.4.0.0	4.4.0.0	https://dl.dell.com/downloads/DL107581

Product	Affected Versions	Updated Versions	Link to Update
Dell EMC AppSync	Versions before 4.4.0.0	4.4.0.0	https://dl.dell.com/downloads/DL107581

Cronologia delle revisioni

Revision	Date	Description
1.0	2022-01-19	Initial Release

Informazioni correlate

Dichiarazione di non responsabilità

Prodotti interessati

AppSync, AppSync, Product Security Information

Numero articolo: 000195377

Tipo di articolo: Dell Security Advisory

Ultima modifica: 19 gen 2022

Verifica che il dispositivo sia coperto dai Servizi di supporto.

DSA-2022-003: Dell EMC AppSync Security Update for Multiple Vulnerabilities

Riepilogo: Dell EMC AppSync remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Impatto

Dettagli

Prodotti interessati e correzione

Cronologia delle revisioni

Informazioni correlate

Dichiarazione di non responsabilità

Prodotti interessati

Proprietà dell'articolo

Trova risposta alle tue domande dagli altri utenti Dell

Support Services

Proprietà dell'articolo

Trova risposta alle tue domande dagli altri utenti Dell

Support Services