DSA-2025-062: Security Update for Dell PowerProtect Data Manager Multiple Security Vulnerabilities
Resumo: Dell PowerProtect Data Manager remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system.
Impacto
Critical
Dados
|
Third Party Component |
CVEs |
More Information |
|---|---|---|
|
Jetty: Java based HTTP/1.x, HTTP/2, Servlet, WebSocket Server9.4.53.20231009 |
CVE-2024-8184, CVE-2024-6763 |
|
|
Quartz Enterprise Job Scheduler2.3.2 |
CVE-2023-39017 |
|
|
rollup4.20.0 |
CVE-2024-47068 |
|
|
Request - Simple HTTP Client2.88.2 |
CVE-2023-28155 |
|
|
http-proxy-middleware2.0.6 |
CVE-2024-21536 |
|
|
Python Programming Language 3.11.9 |
CVE-2023-41105, CVE-2023-36632, CVE-2007-4559, CVE-2023-40217, CVE-2023-24329, CVE-2023-52425, CVE-2023-52426, CVE-2023-50782, CVE-2023-49083, CVE-2024-0727, CVE-2021-3711, CVE-2022-2068,CVE-2022-1292, CVE-2023-4807, CVE-2023-0215, CVE-2022-4450, CVE-2022-0778, CVE-2021-23840,CVE-2023-0464, CVE-2021-3450, CVE-2023-0286, CVE-2021-3712, CVE-2023-2650, CVE-2021-3449, CVE-2022-4304, CVE-2021-23841, CVE-2023-0466, CVE-2023-5678, CVE-2022-2097, CVE-2023-0465, CVE-2023-3817, CVE-2023-23931 |
|
|
zlib 1.3.1 |
CVE-2023-45853 |
|
|
java-17-openjdk 17.0.14 |
CVE-2024-21235, CVE-2024-21208, CVE-2024-21210, CVE-2024-21217, CVE-2025-21502 |
|
|
libcurl4, curl |
CVE-2025-0725, CVE-2025-0167 |
|
|
golang.org/x/crypto/ssh |
CVE-2024-45337 |
|
|
golang.org/x/net/html |
CVE-2024-45338 |
|
|
logback-1.4.7 |
CVE-2023-6378 |
|
|
Spring framework 6.1.8 |
CVE-2024-38820 |
|
|
libxml2-2=2.9.14-150400.5.38.1 libxml2-tools=2.9.14-150400.5.38.1 |
CVE-2024-56171, CVE-2025-24928, CVE-2025-27113 |
|
|
ucode-intel=20250211-150200.53.1 |
CVE-2024-31068, CVE-2024-36293, CVE-2024-37020, CVE-2024-39355 |
|
|
kernel-default=5.14.21-150400.24.150.1 |
CVE-2024-50199, CVE-2024-53104, CVE-2024-53166, CVE-2024-53177, CVE-2024-56600, CVE-2024-56601, CVE-2024-56602, CVE-2024-56623, CVE-2024-56631, CVE-2024-56642, CVE-2024-56645, CVE-2024-56648, CVE-2024-56650, CVE-2024-56658, CVE-2024-56661, CVE-2024-56664, CVE-2024-56704, CVE-2024-56759, CVE-2024-57791, CVE-2024-57792, CVE-2024-57798, CVE-2024-57849, CVE-2024-57893, CVE-2024-57897 |
|
|
openssh-clients=8.4p1-150300.3.42.1 libxml2-tools=2.9.14-150400.5.38.1 openssh-fips=8.4p1-150300.3.42.1 openssh-server=8.4p1-150300.3.42.1 openssh=8.4p1-150300.3.42.1 |
CVE-2025-26465 |
|
|
emacs-info=27.2-150400.3.23.2 emacs-nox=27.2-150400.3.23.2 emacs=27.2-150400.3.23.2 etags=27.2-150400.3.23.2 |
CVE-2025-1244 |
|
|
libopenssl1_1-hmac=1.1.1l-150400.7.78.1 libopenssl1_1=1.1.1l-150400.7.78.1 openssl-1_1=1.1.1l-150400.7.78.1 |
CVE-2024-13176 |
|
|
libruby2_5-2_5=2.5.9-150000.4.36.1 ruby2.5-stdlib=2.5.9-150000.4.36.1 ruby2.5=2.5.9-150000.4.36.1 |
CVE-2024-47220, CVE-2024-49761 |
|
|
libpq5=17.4-150200.5.10.1 postgresql14-server=14.17-150200.5.55.1 postgresql14=14.17-150200.5.55.1 |
CVE-2025-1094 |
|
|
glibc-extra=2.31-150300.92.1 glibc-lang=2.31-150300.92.1 glibc-locale-base=2.31-150300.92.1 glibc-locale=2.31-150300.92.1 glibc=2.31-150300.92.1 |
CVE-2025-0395 |
|
|
bind-utils=9.16.50-150400.5.46.1 python3-bind=9.16.50-150400.5.46.1 |
CVE-2024-11187 |
|
|
libtasn1-6=4.13-150000.4.11.1 libtasn1=4.13-150000.4.11.1 |
CVE-2024-12133 |
|
|
curl=8.0.1-150400.5.62.1 libcurl4=8.0.1-150400.5.62.1 |
CVE-2024-11053, CVE-2025-0167, CVE-2025-0725 |
|
|
grub2-i386-pc=2.06-150400.11.55.2 grub2-snapper-plugin=2.06-150400.11.55.2 grub2-systemd-sleep-plugin=2.06-150400.11.55.2 grub2-x86_64-efi=2.06-150400.11.55.2 grub2=2.06-150400.11.55.2 |
CVE-2024-45774, CVE-2024-45775, CVE-2024-45776, CVE-2024-45777, CVE-2024-45778, CVE-2024-45779, CVE-2024-45780, CVE-2024-45781, CVE-2024-45782, CVE-2024-45783, CVE-2024-56737, CVE-2025-0622, CVE-2025-0624, CVE-2025-0677, CVE-2025-0678, CVE-2025-0684, CVE-2025-0685, CVE-2025-0686, CVE-2025-0689, CVE-2025-0690, CVE-2025-1118, CVE-2025-1125 |
|
Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|---|---|---|---|
|
CVE-2025-23375 |
Dell PowerProtect Data Manager Reporting, version(s) 19.17, contain(s) an Incorrect Use of Privileged APIs vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. |
7.8 |
|
|
CVE-2025-23376 |
Dell PowerProtect Data Manager Reporting, version(s) 19.16, 19.17, 19.18, contain(s) an Improper Neutralization of Special Elements Used in a Template Engine vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure. |
2.3 |
|
|
CVE-2025-23377 |
Dell PowerProtect Data Manager Reporting, version(s) 19.17, 19.18 contain(s) an Improper Encoding or Escaping of Output vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability to inject arbitrary web script or html in reporting outputs. |
4.2 |
|
|
CVE-2025-27691 |
Dell PowerProtect Agent Service, version(s) 19.16, 19.17, and 19.18, contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the Postgres, Oracle, and cache environments with privileges of the compromised account. |
7.5 |
|
Proprietary Code CVEs |
Description |
CVSS Base Score |
CVSS Vector String |
|---|---|---|---|
|
CVE-2025-23375 |
Dell PowerProtect Data Manager Reporting, version(s) 19.17, contain(s) an Incorrect Use of Privileged APIs vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. |
7.8 |
|
|
CVE-2025-23376 |
Dell PowerProtect Data Manager Reporting, version(s) 19.16, 19.17, 19.18, contain(s) an Improper Neutralization of Special Elements Used in a Template Engine vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure. |
2.3 |
|
|
CVE-2025-23377 |
Dell PowerProtect Data Manager Reporting, version(s) 19.17, 19.18 contain(s) an Improper Encoding or Escaping of Output vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability to inject arbitrary web script or html in reporting outputs. |
4.2 |
|
|
CVE-2025-27691 |
Dell PowerProtect Agent Service, version(s) 19.16, 19.17, and 19.18, contain(s) a Plaintext Storage of a Password vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to information disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the Postgres, Oracle, and cache environments with privileges of the compromised account. |
7.5 |
Produtos afetados e soluções
|
Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
|---|---|---|---|---|
|
PowerProtect Data Manager |
PowerProtect Data Manager Software 19.19.0-15 |
Versions 19.15.0 through 19.18.0-23 |
Version 19.19.0-15 or later |
|
Product |
Software/Firmware |
Affected Versions |
Remediated Versions |
Link |
|---|---|---|---|---|
|
PowerProtect Data Manager |
PowerProtect Data Manager Software 19.19.0-15 |
Versions 19.15.0 through 19.18.0-23 |
Version 19.19.0-15 or later |
Histórico de revisão
|
Revision |
Date |
Description |
|---|---|---|
|
1.0 |
2025-04-24 |
Initial Release |
|
2.0 |
2025-04-24 |
Updated for enhanced presentation with no changes to content |
|
3.0 |
2025-04-25 |
Updated for enhanced presentation with no changes to content |
|
4.0 |
2025-05-07 |
Updated CVE Identifier and Third Party Components section to remove Node.js 22.13.0 references |
|
5.0 |
2025-05-28 |
Updated the Proprietary Code section: Added CVE-2025-27691 details. |