CRITICAL🇵🇱 Wersja polska

CVE-2024-0002

CVSS 10.0v3.1pub. 2024-09-23upd. 2024-09-27

A condition exists in FlashArray Purity whereby an attacker can employ a privileged account allowing remote access to the array.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-287 (improper authentication) allows an attacker remote access to the FlashArray using a privileged account. The attack requires no prior privileges, user interaction, or specific network conditions — it is possible over the network without authentication. The scope of the vulnerability extends beyond the system where the vulnerability exists (Scope: Changed), indicating potential impact on a broader infrastructure.

Impact

An attacker can gain full remote access to the array with administrative privileges, resulting in complete loss of confidentiality, integrity, and availability of stored data.

Mitigation & patch

Patches available from the vendor should be applied immediately according to references published by Pure Storage at https://purestorage.com/security. Until the patch is deployed, consider restricting network access to array management interfaces exclusively to trusted administrative hosts.

Who is affected

Pure Storage FlashArray Purity (Purity//FA) — specific versions indicated in vendor references available at purestorage.com/security

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Purestorage Purity\/\/fa

    APP
    Purestorage
    6.5.06.0.7 – 6.0.96.1.8 – 6.1.255.3.17 – 5.3.216.3.0 – 6.3.146.4.0 – 6.4.106.2.0 – 6.2.17
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-0001CRITICAL10.0PL ✓ten sam produkt

FlashArray Purity — aktywne konto lokalne umożliwia privilege escalation

CVE-2024-0005CRITICAL9.1PL ✓ten sam produkt

Command injection w Pure Storage Purity poprzez konfigurację SNMP

CVE-2024-0004CRITICAL9.1PL ✓ten sam produkt

Zdalne wykonanie kodu z eskalacją uprawnień w Pure Storage FlashArray Purity

CVE-2024-0003CRITICAL9.1PL ✓ten sam produkt

Pure Storage FlashArray Purity — nieautoryzowane tworzenie konta z uprawnieniami

CVE-2022-32554CRITICAL9.8ten sam produkt

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3....