Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000222330

DSA-2024-077: Security Update for Dell Secure Connect Gateway Policy Manager Vulnerabilities

Summary: Dell Secure Connect Gateway Policy Manager remediation for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.

Article Content

Impact

High

Details

Third-party Component CVEs More Information
Apache Tomcat CVE-2023-44487, CVE-2023-46589 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
@babel/traverse CVE-2023-45133 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
ajv CVE-2020-15366 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
json-path CVE-2023-51074 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
Java 17 CVE-2023-22025, CVE-2023-22081 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
com.fasterxml.jackson CVE-2023-35116 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
ch.qos.logback CVE-2023-6481, CVE-2023-6378 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
Spring CVE-2023-34053, CVE-2023-34055 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.
SUSE Enterprise 12 SP5 CVE-2023-48795 See NVD link below for individual scores for each CVE.
https://nvd.nist.govThis hyperlink is taking you to a website outside of Dell Technologies.

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String   
CVE-2024-24900 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain an improper authorization vulnerability. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized devices added to policies. Exploitation may lead to information disclosure and unauthorized access to the system. 5.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24903 Dell Secure Connect Gateway (SCG) Policy Manager, version 5.10+, contain a weak password recovery mechanism for forgotten passwords. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change. 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24907 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability in the Filters page. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24904 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24905 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24906 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability in Policy page. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String   
CVE-2024-24900 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain an improper authorization vulnerability. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized devices added to policies. Exploitation may lead to information disclosure and unauthorized access to the system. 5.8 CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24903 Dell Secure Connect Gateway (SCG) Policy Manager, version 5.10+, contain a weak password recovery mechanism for forgotten passwords. An adjacent network low privileged attacker could potentially exploit this vulnerability, leading to unauthorized access to the application with privileges of the compromised account. The attacker could retrieve the reset password token without authorization and then perform the password change. 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24907 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability in the Filters page. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24904 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24905 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-24906 Dell Secure Connect Gateway (SCG) Policy Manager, all versions, contain(s) a Stored Cross-Site Scripting Vulnerability in Policy page. An adjacent network high privileged attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. 7.6 CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:NThis hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2023-6378, CVE-2023-34053, CVE-2023-34055, CVE-2023-51074, CVE-2023-35116, CVE-2023-22081, CVE-2023-22025, CVE-2020-15366, CVE-2023-6481, CVE-2023-44487, CVE-2023-46589, CVE-2023-45133, CVE-2023-48795 Dell Policy Manager for Secure Connect Gateway Version 5.20.00.10 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVE-2024-24900, CVE-2024-24904, CVE-2024-24905, CVE-2024-24906, CVE-2024-24907 Dell Policy Manager for Secure Connect Gateway Versions prior to 5.22.00.16 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVE-2024-24903 Dell Policy Manager for Secure Connect Gateway Versions 5.10 through 5.20.00.16 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2023-6378, CVE-2023-34053, CVE-2023-34055, CVE-2023-51074, CVE-2023-35116, CVE-2023-22081, CVE-2023-22025, CVE-2020-15366, CVE-2023-6481, CVE-2023-44487, CVE-2023-46589, CVE-2023-45133, CVE-2023-48795 Dell Policy Manager for Secure Connect Gateway Version 5.20.00.10 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVE-2024-24900, CVE-2024-24904, CVE-2024-24905, CVE-2024-24906, CVE-2024-24907 Dell Policy Manager for Secure Connect Gateway Versions prior to 5.22.00.16 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 
CVE-2024-24903 Dell Policy Manager for Secure Connect Gateway Versions 5.10 through 5.20.00.16 Version 5.22.00.16 https://www.dell.com/support/home/en-us/product-support/product/secure-connect-gateway-ve/drivers
 

Workarounds and Mitigations

None

Acknowledgements

CVE-2024-24904: Dell Technologies would like to thank kosmosec for reporting this issue.
CVE-2024-24905: Dell Technologies would like to thank kosmosec for reporting this issue.
CVE-2024-24903: Dell Technologies would like to thank kosmosec for reporting this issue.
CVE-2024-24900: Dell Technologies would like to thank juust4 for reporting this issue.
CVE-2024-24906: Dell Technologies would like to thank juust4 for reporting this issue.
CVE-2024-24907: Dell Technologies would like to thank juust4 for reporting this issue.
 

Revision History

RevisionDateDescription
1.02024-02-29Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Information

Article Properties

Affected Product

Secure Connect Gateway, Secure Connect Gateway, Secure Connect Gateway - Virtual Edition

Last Published Date

29 Feb 2024

Version

2

Article Type

Dell Security Advisory

Back to Top