DSA-2022-003: Dell EMC AppSync Security Update for Multiple Vulnerabilities

Sumário

Artigo detalhado

Impacto

Dados

Produtos afetados e soluções

Histórico de revisão

Informações relacionadas

Aviso de isenção legal

Produtos afetados

Fornecer feedback

Resumo: Dell EMC AppSync remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Este artigo aplica-se a Este artigo não se aplica a Este artigo não está vinculado a nenhum produto específico. Nem todas as versões do produto estão identificadas neste artigo.

Confira outros recursos

Impacto

High

Dados

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-22551	Dell EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker may potentially exploit this vulnerability, and hijack the victim session.	8.3	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CVE-2022-22552	Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker may potentially exploit this vulnerability to trick the victim into executing state changing operations.	6.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:H
CVE-2022-22553	Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that may be exploited from UI and CLI. An adjacent unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Third-party Component	CVEs	More information
RESTEasy 3.0.10.Final	CVE-2016-9606	https://nvd.nist.gov/vuln/detail/CVE-2016-9606
	CVE-2020-1695	https://nvd.nist.gov/vuln/detail/CVE-2020-1695
	CVE-2020-25724	https://nvd.nist.gov/vuln/detail/CVE-2020-25724
	CVE-2020-14326	https://nvd.nist.gov/vuln/detail/CVE-2020-14326
	CVE-2017-7561	https://nvd.nist.gov/vuln/detail/CVE-2017-7561
	CVE-2016-6346	https://nvd.nist.gov/vuln/detail/CVE-2016-6346
	CVE-2020-10688	https://nvd.nist.gov/vuln/detail/CVE-2020-10688
	CVE-2021-20293	https://nvd.nist.gov/vuln/detail/CVE-2021-20293
	CVE-2020-25633	https://nvd.nist.gov/vuln/detail/CVE-2020-25633
	CVE-2021-20289	https://nvd.nist.gov/vuln/detail/CVE-2021-20289
Simple-XML 2.4.1	CVE-2017-1000190	https://nvd.nist.gov/vuln/detail/CVE-2017-1000190

Proprietary Code CVEs	Description	CVSS Base Score	CVSS Vector String
CVE-2022-22551	Dell EMC AppSync versions 3.9 to 4.3 use GET request method with sensitive query strings. An Adjacent, unauthenticated attacker may potentially exploit this vulnerability, and hijack the victim session.	8.3	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CVE-2022-22552	Dell EMC AppSync versions 3.9 to 4.3 contain a clickjacking vulnerability in AppSync. A remote unauthenticated attacker may potentially exploit this vulnerability to trick the victim into executing state changing operations.	6.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:H
CVE-2022-22553	Dell EMC AppSync versions 3.9 to 4.3 contain an Improper Restriction of Excessive Authentication Attempts Vulnerability that may be exploited from UI and CLI. An adjacent unauthenticated attacker may potentially exploit this vulnerability, leading to password brute-forcing. Account takeover is possible if weak passwords are used by users.	8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Third-party Component	CVEs	More information
RESTEasy 3.0.10.Final	CVE-2016-9606	https://nvd.nist.gov/vuln/detail/CVE-2016-9606
	CVE-2020-1695	https://nvd.nist.gov/vuln/detail/CVE-2020-1695
	CVE-2020-25724	https://nvd.nist.gov/vuln/detail/CVE-2020-25724
	CVE-2020-14326	https://nvd.nist.gov/vuln/detail/CVE-2020-14326
	CVE-2017-7561	https://nvd.nist.gov/vuln/detail/CVE-2017-7561
	CVE-2016-6346	https://nvd.nist.gov/vuln/detail/CVE-2016-6346
	CVE-2020-10688	https://nvd.nist.gov/vuln/detail/CVE-2020-10688
	CVE-2021-20293	https://nvd.nist.gov/vuln/detail/CVE-2021-20293
	CVE-2020-25633	https://nvd.nist.gov/vuln/detail/CVE-2020-25633
	CVE-2021-20289	https://nvd.nist.gov/vuln/detail/CVE-2021-20289
Simple-XML 2.4.1	CVE-2017-1000190	https://nvd.nist.gov/vuln/detail/CVE-2017-1000190

A Dell Technologies recomenda que todos os clientes levem em consideração a pontuação base CVSS e as pontuações temporais e ambientais pertinentes que possam afetar a gravidade potencial associada a uma vulnerabilidade de segurança específica.

Produtos afetados e soluções

Product	Affected Versions	Updated Versions	Link to Update
Dell EMC AppSync	Versions before 4.4.0.0	4.4.0.0	https://dl.dell.com/downloads/DL107581

Product	Affected Versions	Updated Versions	Link to Update
Dell EMC AppSync	Versions before 4.4.0.0	4.4.0.0	https://dl.dell.com/downloads/DL107581

Histórico de revisão

Revision	Date	Description
1.0	2022-01-19	Initial Release

Informações relacionadas

Aviso de isenção legal

Produtos afetados

AppSync, AppSync, Product Security Information

Número do artigo: 000195377

Tipo de artigo: Dell Security Advisory

Último modificado: 19 jan. 2022

Verifique se o dispositivo está coberto pelos serviços de suporte.

DSA-2022-003: Dell EMC AppSync Security Update for Multiple Vulnerabilities

Resumo: Dell EMC AppSync remediation is available for multiple security vulnerabilities that may be exploited by malicious users to compromise the affected system.

Impacto

Dados

Produtos afetados e soluções

Histórico de revisão

Informações relacionadas

Aviso de isenção legal

Produtos afetados

Propriedades do artigo

Encontre as respostas de outros usuários da Dell para suas perguntas.

Serviços de suporte

Propriedades do artigo

Encontre as respostas de outros usuários da Dell para suas perguntas.

Serviços de suporte