Multiple vulnerabilities in Dell EMC Data Protection Advisor
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2019-2540 CVE-2018-11212 CVE-2019-2426 CVE-2019-2449 CVE-2019-2422 |
| CWE-ID | CWE-284 CWE-369 CWE-264 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
EMC Data Protection Advisor Server applications / Other server solutions |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU36230
Risk: Medium
CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-2540
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Vulnerability in the Java Advanced Management Console component of Oracle Java SE (subcomponent: Server). The supported version that is affected is Java Advanced Management Console: 2.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java Advanced Management Console. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java Advanced Management Console, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java Advanced Management Console accessible data as well as unauthorized read access to a subset of Java Advanced Management Console accessible data. CVSS 3.0 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
MitigationInstall update from vendor's website.
Vulnerable software versionsEMC Data Protection Advisor: before 6.5 patch 136
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Division by zero
EUVDB-ID: #VU17049
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-11212
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to division by zero error within the libjpeg library within the libjpeg-turbo in alloc_sarray() function of jmemmgr.c file. A remote attacker can pass a specially crafted file the to affected application and cause application to crash.
Install update from vendor's website.
Vulnerable software versionsEMC Data Protection Advisor: before 6.5 patch 136
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU17050
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-2426
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to unspecified flaw in Networking component. A remote attacker read arbitrary data.
Install update from vendor's website.
Vulnerable software versionsEMC Data Protection Advisor: before 6.5 patch 136
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Denial of service
EUVDB-ID: #VU17052
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-2449
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists due to unspecified flaw in Deployment component. A remote attacker cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsEMC Data Protection Advisor: before 6.5 patch 136
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Information disclosure
EUVDB-ID: #VU17051
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-2422
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to unspecified flaw in Libraries component. A remote attacker can gain access to sensitive information on the system.
Install update from vendor's website.
Vulnerable software versionsEMC Data Protection Advisor: before 6.5 patch 136
CPE2.3 External linksQ & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
