Lucene search

NetappCVE-2019-17274

HistoryFeb 26, 2020 - 6:15 p.m.

CVE-2019-17274

2020-02-2618:15:11

CWE-1188

netapp

web.nvd.nist.gov

cve-2019-17274

netapp

fas

aff

bmc

firmware

unauthorized access

command execution

nvd

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

Percentile

12.6%

JSON

NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller (BMC) firmware versions 13.x prior to 13.1P1 were shipped with a default account enabled that could allow unauthorized arbitrary command execution via local access.

Affected configurations

Nvd

Node

netappfabric-attached_storage_8700Match-

AND

netappfabric-attached_storage_8700_firmwareRange≤13.1

Node

netappfabric-attached_storage_8300Match-

AND

netappfabric-attached_storage_8300_firmwareRange≤13.1

Node

netappall_flash_fabric-attached_storage_a400Match-

AND

netappall_flash_fabric-attached_storage_a400_firmwareRange≤13.1

VendorProductVersionCPE
netappfabric-attached_storage_8700-cpe:2.3:h:netapp:fabric-attached_storage_8700:-:*:*:*:*:*:*:*
netappfabric-attached_storage_8700_firmware*cpe:2.3:o:netapp:fabric-attached_storage_8700_firmware:*:*:*:*:*:*:*:*
netappfabric-attached_storage_8300-cpe:2.3:h:netapp:fabric-attached_storage_8300:-:*:*:*:*:*:*:*
netappfabric-attached_storage_8300_firmware*cpe:2.3:o:netapp:fabric-attached_storage_8300_firmware:*:*:*:*:*:*:*:*
netappall_flash_fabric-attached_storage_a400-cpe:2.3:h:netapp:all_flash_fabric-attached_storage_a400:-:*:*:*:*:*:*:*
netappall_flash_fabric-attached_storage_a400_firmware*cpe:2.3:o:netapp:all_flash_fabric-attached_storage_a400_firmware:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
netapp	fabric-attached_storage_8700	-	cpe:2.3:h:netapp:fabric-attached_storage_8700:-:::::::*
netapp	fabric-attached_storage_8700_firmware	*	cpe:2.3:o:netapp:fabric-attached_storage_8700_firmware::::::::
netapp	fabric-attached_storage_8300	-	cpe:2.3:h:netapp:fabric-attached_storage_8300:-:::::::*
netapp	fabric-attached_storage_8300_firmware	*	cpe:2.3:o:netapp:fabric-attached_storage_8300_firmware::::::::
netapp	all_flash_fabric-attached_storage_a400	-	cpe:2.3:h:netapp:all_flash_fabric-attached_storage_a400:-:::::::*
netapp	all_flash_fabric-attached_storage_a400_firmware	*	cpe:2.3:o:netapp:all_flash_fabric-attached_storage_a400_firmware::::::::

CNA Affected

[
  {
    "product": "NetApp FAS 8300/8700 and AFF A400 Baseboard Management Controller",
    "vendor": "NetApp",
    "versions": [
      {
        "status": "affected",
        "version": "13.x prior to 13.1P1"
      }
    ]
  }
]

References

security.netapp.com/advisory/ntap-20200226-0001/

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

7.6

Confidence

High

EPSS

Percentile

12.6%

JSON

Related for CVE-2019-17274