SB2025042510 - Dell EMC NetWorker vProxy update for third-party components
Published: April 25, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2024-8805)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within the implementation of the HID over GATT Profile. A remote attacker on the local network can bypass implemented security restrictions and execute arbitrary code on the target system.
2) Resource management error (CVE-ID: CVE-2023-5678)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within DH_generate_key() and DH_check_pub_key() functions. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.
3) State Issues (CVE-ID: CVE-2023-6129)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in POLY1305 MAC (message authentication code) implementation on PowerPC CPU based platforms if the CPU provides vector instructions. A remote attacker can perform a denial of service (DoS) attack.
4) NULL pointer dereference (CVE-ID: CVE-2024-0727)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error when processing fields in the PKCS12 certificate. A remote attacker can pass specially crafted certificate to the server and perform a denial of service (DoS) attack.
5) Information disclosure (CVE-ID: CVE-2023-46218)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an error in curl that allows a malicious HTTP server to set "super cookies" that are then passed back to more origins than what is otherwise allowed or possible. A remote attacker can force curl to send such cookie to different and unrelated sites and domains.
6) Missing Encryption of Sensitive Data (CVE-ID: CVE-2023-46219)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error when handling HSTS long file names. When saving HSTS data to an excessively long file name, curl can end
up removing all contents from the file, making subsequent requests using that file
unaware of the HSTS status they should otherwise use. As a result, a remote attacker can perform MitM attack.
7) Comparison using wrong factors (CVE-ID: CVE-2024-9681)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to an error in HSTS cache implementation. When curl is asked to use HSTS, the expiry time for a subdomain can overwrite a parent domain's cache entry, making it end sooner or later
than otherwise intended. This can lead to situations when the website becomes unavailable or force the client to switch to HTTP from HTTP connection earlier than intended.
8) Resource exhaustion (CVE-ID: CVE-2023-52425)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing large tokens. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
9) XML Entity Expansion (CVE-ID: CVE-2023-52426)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to recursive XML Entity Expansion if XML_DTD is undefined at compile time. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.