A condition exists in FlashArray Purity whereby an attacker can employ a privileged account allowing remote access to the array.
The vulnerability classified as CWE-287 (improper authentication) allows an attacker remote access to the FlashArray using a privileged account. The attack requires no prior privileges, user interaction, or specific network conditions — it is possible over the network without authentication. The scope of the vulnerability extends beyond the system where the vulnerability exists (Scope: Changed), indicating potential impact on a broader infrastructure.
An attacker can gain full remote access to the array with administrative privileges, resulting in complete loss of confidentiality, integrity, and availability of stored data.
Patches available from the vendor should be applied immediately according to references published by Pure Storage at https://purestorage.com/security. Until the patch is deployed, consider restricting network access to array management interfaces exclusively to trusted administrative hosts.
Pure Storage FlashArray Purity (Purity//FA) — specific versions indicated in vendor references available at purestorage.com/security
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HPurestorage Purity\/\/fa
APPPurestorage6.5.06.0.7 – 6.0.96.1.8 – 6.1.255.3.17 – 5.3.216.3.0 – 6.3.146.4.0 – 6.4.106.2.0 – 6.2.17
Related vulnerabilities
FlashArray Purity — aktywne konto lokalne umożliwia privilege escalation
Command injection w Pure Storage Purity poprzez konfigurację SNMP
Zdalne wykonanie kodu z eskalacją uprawnień w Pure Storage FlashArray Purity
Pure Storage FlashArray Purity — nieautoryzowane tworzenie konta z uprawnieniami
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3....