DSA-2022-182: Cloud Mobility for Dell Storage Security Update for a Path Traversal RCE Vulnerability

Summary: Cloud Mobility for Dell Storage remediation is available for a path traversal RCE vulnerability that may be exploited by malicious users to compromise the affected system.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

High

Details

Cloud Mobility for Dell Storage 1.3.0 contains an RCE vulnerability. A nonprivileged user could potentially exploit this vulnerability, leading to achieving a root shell. This is a high severity issue; so Dell Technologies recommends customers to upgrade at the earliest opportunity.

Proprietary Code CVE Description CVSS Base Score CVSS Vector
CVE-2022-33936 Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains a path traversal in the backup mechanism for the vApp. Any basic user may purposefully or accidentally exploit this vulnerability, leading to RCE with full take over of the system. 8.0 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.

 

Cloud Mobility for Dell Storage 1.3.0 contains an RCE vulnerability. A nonprivileged user could potentially exploit this vulnerability, leading to achieving a root shell. This is a high severity issue; so Dell Technologies recommends customers to upgrade at the earliest opportunity.

Proprietary Code CVE Description CVSS Base Score CVSS Vector
CVE-2022-33936 Cloud Mobility for Dell Storage versions 1.3.0 and earlier contains a path traversal in the backup mechanism for the vApp. Any basic user may purposefully or accidentally exploit this vulnerability, leading to RCE with full take over of the system. 8.0 CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H This hyperlink is taking you to a website outside of Dell Technologies.

 

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

 
CVE Addressed  Product Affected Version Updated Version Link to Update
CVE-2022-33936 Cloud Mobility for Dell Storage 1.3.0 1.3.1 Amazon Marketplace: Cloud Mobility for Dell Storage This hyperlink is taking you to a website outside of Dell Technologies.
Or
VMware Marketplace This hyperlink is taking you to a website outside of Dell Technologies.
 
CVE Addressed  Product Affected Version Updated Version Link to Update
CVE-2022-33936 Cloud Mobility for Dell Storage 1.3.0 1.3.1 Amazon Marketplace: Cloud Mobility for Dell Storage This hyperlink is taking you to a website outside of Dell Technologies.
Or
VMware Marketplace This hyperlink is taking you to a website outside of Dell Technologies.

Workarounds & Mitigations

We now reject any patterns in the restore tar file that start with an absolute path or contain .. anywhere in the file path.

Revision History

RevisionDateDescription
1.02022-07-06Initial release 

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

Product Security Information
Article Properties
Article Number: 000201258
Article Type: Dell Security Advisory
Last Modified: 20 Jun 2023
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.