CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2022-32554

CVSS 9.8v3.1pub. 2022-06-23upd. 2024-11-21

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to possibly exposed credentials for accessing the product’s management interface. The password may be known outside Pure Storage and could be used on an affected system, if reachable, to execute arbitrary instructions with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Purestorage Purity\/\/fa

    APP
    Purestorage
    < 5.3.186.0.0 – 6.0.9 (bez)6.1.0 – 6.1.13 (bez)6.2.0 – 6.2.4 (bez)
  • Purestorage Purity\/\/fb

    APP
    Purestorage
    < 3.1.133.2.0 – 3.2.5 (bez)3.3.0 – 3.3.1 (bez)
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2024-0005CRITICAL9.1PL ✓ten sam produkt

Command injection w Pure Storage Purity poprzez konfigurację SNMP

CVE-2024-0001CRITICAL10.0PL ✓ten sam produkt

FlashArray Purity — aktywne konto lokalne umożliwia privilege escalation

CVE-2024-0002CRITICAL10.0PL ✓ten sam produkt

Obejście uwierzytelnienia w Pure Storage FlashArray Purity (CVSS 10.0)

CVE-2024-0003CRITICAL9.1PL ✓ten sam produkt

Pure Storage FlashArray Purity — nieautoryzowane tworzenie konta z uprawnieniami

CVE-2024-0004CRITICAL9.1PL ✓ten sam produkt

Zdalne wykonanie kodu z eskalacją uprawnień w Pure Storage FlashArray Purity