Multiple vulnerabilities in Dell EMC Unity
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 55 |
| CVE-ID | CVE-2020-36229 CVE-2020-17438 CVE-2020-13987 CVE-2020-13988 CVE-2020-36221 CVE-2020-36222 CVE-2020-36223 CVE-2020-36224 CVE-2020-36225 CVE-2020-36226 CVE-2020-36227 CVE-2020-36228 CVE-2020-36230 CVE-2020-11080 CVE-2021-27212 CVE-2021-3712 CVE-2021-23840 CVE-2021-3560 CVE-2020-25695 CVE-2020-25694 CVE-2020-25696 CVE-2021-32027 CVE-2021-32028 CVE-2021-3177 CVE-2019-20916 CVE-2021-3156 CVE-2020-17437 CVE-2021-23987 CVE-2021-43589 CVE-2020-29562 CVE-2021-25214 CVE-2021-25215 CVE-2021-22876 CVE-2021-22898 CVE-2021-25217 CVE-2021-21300 CVE-2021-27218 CVE-2021-27219 CVE-2019-25013 CVE-2020-29573 CVE-2020-27618 CVE-2021-3326 CVE-2021-23984 CVE-2021-20231 CVE-2021-20232 CVE-2021-20305 CVE-2021-31535 CVE-2021-3520 CVE-2018-16741 CVE-2018-16742 CVE-2018-16743 CVE-2018-16744 CVE-2018-16745 CVE-2021-23981 CVE-2021-23982 |
| CWE-ID | CWE-843 CWE-787 CWE-125 CWE-190 CWE-191 CWE-617 CWE-415 CWE-763 CWE-399 CWE-835 CWE-400 CWE-20 CWE-264 CWE-89 CWE-284 CWE-401 CWE-119 CWE-22 CWE-122 CWE-77 CWE-200 CWE-457 CWE-94 CWE-681 CWE-451 CWE-416 CWE-327 CWE-78 CWE-121 |
| Exploitation vector | Network |
| Public exploit |
Vulnerability #18 is being exploited in the wild. Vulnerability #26 is being exploited in the wild. Public exploit code for vulnerability #36 is available. Public exploit code for vulnerability #47 is available. |
| Vulnerable software |
Dell EMC Unity XT Operating Environment (OE) Hardware solutions / Other hardware appliances Dell EMC UnityVSA Operating Environment (OE) Hardware solutions / Other hardware appliances Dell EMC Unity Operating Environment (OE) Hardware solutions / Other hardware appliances |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 55 vulnerabilities.
1) Type Confusion
EUVDB-ID: #VU50396
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36229
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error in ldap_X509dn2bv when parsing X.509 DN in ad_keystring. A remote attacker can send a specially crafted request to slapd and crash it.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Out-of-bounds write
EUVDB-ID: #VU59116
Risk: Critical
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]
CVE-ID: CVE-2020-17438
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing IP packets. The code that reassembles fragmented packets fails to properly validate the total length of an incoming packet specified in its IP header, as well as the fragmentation offset value specified in the IP header. A remote attacker can send specially crafted IP packets to the system, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU59117
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-13987
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in the uIP TCP/IP Stack component when calculating the checksums for IP packets in upper_layer_chksum in net/ipv4/uip.c.
A remote attacker can send specially crafted traffic to the system, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Integer overflow
EUVDB-ID: #VU48916
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2020-13988
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer overflow. A remote attacker on the local network can send a specially crafted IP packet, trigger integer overflow and cause a denial of service on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Integer underflow
EUVDB-ID: #VU50389
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36221
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow within the serialNumberAndIssuerCheck() function in schema_init.c. A remote attacker can send a specially crafted request to the affected application, trigger an integer underflow and crash the slapd.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Reachable Assertion
EUVDB-ID: #VU50390
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36222
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in slapd in the saslAuthzTo validation. A remote attacker can send a specially crafted request and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Double Free
EUVDB-ID: #VU50391
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36223
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error during the Values Return Filter control handling. A remote attacker can send a specially crafted request to the slapd, trigger a double free error and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Release of invalid pointer or reference
EUVDB-ID: #VU50398
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36224
CWE-ID:
CWE-763 - Release of invalid pointer or reference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to release of an invalid pointer when processing saslAuthzTo requests. A remote attacker can send a specially crafted request to slapd and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Double Free
EUVDB-ID: #VU50392
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36225
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error in the saslAuthzTo processing. A remote attacker can send a specially crafted request to the slapd, trigger a double free error and perform a denial of service (DoS) attack
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Resource management error
EUVDB-ID: #VU50393
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36226
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application leading to a memch->bv_len miscalculation during saslAuthzTo processing. A remote attacker can send specially crafted request to the slapd and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Infinite loop
EUVDB-ID: #VU50394
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36227
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in slapd with the cancel_extop Cancel operation. A remote attacker can send a specially crafted request and perform a denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Integer underflow
EUVDB-ID: #VU50395
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36228
CWE-ID:
CWE-191 - Integer underflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to integer underflow when processing the certificate list exact assertion. A remote attacker can send a specially crafted request to the slapd, trigger integer underflow and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Reachable Assertion
EUVDB-ID: #VU50397
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-36230
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when parsing the X.509 DN within the ber_next_element() function in decode.c. A remote attacker can send a specially crafted request to slapd and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Resource exhaustion
EUVDB-ID: #VU28538
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-11080
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 SETTINGS frames. A remote attacker can trigger high CPU load by sending large HTTP/2 SETTINGS frames and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) Reachable Assertion
EUVDB-ID: #VU50779
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-27212
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when processing LDAP packets within the issuerAndThisUpdateCheck() function in schema_init.c. A remote attacker can send a specially crafted packet with a short timestamp to the slapd and perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) Out-of-bounds read
EUVDB-ID: #VU56064
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-3712
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition when processing ASN.1 strings related to a confusion with NULL termination of strings in array. A remote attacker can pass specially crafted data to the application to trigger an out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) Input validation error
EUVDB-ID: #VU50745
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23840
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input during EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate calls. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU53837
Risk: Low
CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]
CVE-ID: CVE-2021-3560
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in the "polkit_system_bus_name_get_creds_sync" function, which leads to security restrictions bypass and privilege escalation.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
19) SQL injection
EUVDB-ID: #VU48436
Risk: Medium
CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-25695
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) Improper access control
EUVDB-ID: #VU48437
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-25694
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can perform a man-in-the-middle attack or observe clear-text transmissions and downgrade connection security settings.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) Input validation error
EUVDB-ID: #VU48438
Risk: Medium
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-25696
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the "\gset" meta-command does not distinguish variables that control psql behavior. A remote attacker can execute arbitrary code as the operating system account.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) Integer overflow
EUVDB-ID: #VU53231
Risk: Medium
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-32027
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow when processing certain SQL array values during array subscribing calculation. An authenticated database user can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system and can be exploited by a remote unauthenticated attacker via SQL injection vulnerability in the frontend application.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) Memory leak
EUVDB-ID: #VU53232
Risk: Medium
CVSSv4.0: 5.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-32028
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due memory leak within the INSERT ... ON CONFLICT ... DO UPDATE command implementation. A remote authenticated database user can execute the affected command to read arbitrary bytes of server memory. In the default
configuration, any authenticated database user can create prerequisite objects
and complete this attack at will.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Buffer overflow
EUVDB-ID: #VU49973
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3177
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary within the PyCArg_repr in _ctypes/callproc.c. A remote attacker can pass specially crafted input to the Python applications that accept floating-point numbers as untrusted input, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Path traversal
EUVDB-ID: #VU48600
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20916
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences passed via URL to the install command within the _download_http_url() function in _internal/download.py. A remote attacker can send a specially crafted HTTP request with the Content-Disposition header that contains directory traversal characters in the filename and overwrite the /root/.ssh/authorized_keys file.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Heap-based buffer overflow
EUVDB-ID: #VU50040
Risk: Low
CVSSv4.0: 8.5 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Clear]
CVE-ID: CVE-2021-3156
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a boundary error in sudo. A local user can pass specially crafted data to the application, trigger heap-based buffer overflow and execute arbitrary code on the target system with root privileges.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
27) Out-of-bounds write
EUVDB-ID: #VU59115
Risk: Critical
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]
CVE-ID: CVE-2020-17437
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing TCP packets with Urgent flag. A remote attacker can send specially crafted traffic to the system, trigger an out-of-bounds write and execute arbitrary code on the target system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
28) Buffer overflow
EUVDB-ID: #VU51667
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-23987
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTML content. A remote attacker can create a specially crafted website, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
29) Command Injection
EUVDB-ID: #VU59114
Risk: Low
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-43589
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient input validation. A local privileged user can run a specially crafted command and escalate privileges on the system.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
30) Reachable Assertion
EUVDB-ID: #VU49670
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-29562
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when converting UCS4 text containing an irreversible character in the iconv function in the GNU C Library (aka glibc or libc6). A remote attacker can pass specially crafted data to the library, trigger an assertion failure and preform a denial of service attack.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
31) Reachable Assertion
EUVDB-ID: #VU52734
Risk: Low
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-25214
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when pressing IXFR queries. An IXFR stream containing SOA records with an owner name other than the transferred zone's apex may cause the receiving named
server to inadvertently remove the SOA record for the zone in question
from the zone database. This leads to an assertion failure when the next
SOA refresh query for that zone is made. When a vulnerable version of named receives a malformed IXFR triggering the flaw described above, the named process will terminate due to a failed assertion the next time the transferred secondary zone is refreshed.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
32) Reachable Assertion
EUVDB-ID: #VU52736
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-25215
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion when processing DNAME records. A remote attacker can force named to add the same RRset to the ANSWER section more than once, trigger an assertion failure and crash the service. Both authoritative and recursive servers are affected by this issue during zone transfers.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
33) Information disclosure
EUVDB-ID: #VU51821
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22876
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to libcurl does not strip off user credentials from the URL when automatically populating the Referer:
HTTP request header field in outgoing HTTP requests and therefore
risks leaking sensitive data to the server that is the target of the
second HTTP request.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
34) Use of uninitialized variable
EUVDB-ID: #VU53587
Risk: Medium
CVSSv4.0: 1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-22898
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to usage of uninitialized variable in code, responsible for processing TELNET requests when parsing NEW_ENV variables. A remote attacker can force the affected application to connect to a telnet server under attackers control and read up to 1800 bytes from the uninitialized memory on the libcurl client system.
Proof of concept:
curl telnet://example.com -tNEW_ENV=a,bbbbbb (256 'b's)Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
35) Input validation error
EUVDB-ID: #VU53609
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-25217
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack or gain access to sensitive information.
The vulnerability exists due to insufficient validation of options data stored in DHCP leases. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack or gain access to sensitive information.
Both dhcpd and dhclient are affected by the vulnerability.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
36) Code Injection
EUVDB-ID: #VU51337
Risk: High
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2021-21300
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation in Git for Visual Studio. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
37) Incorrect Conversion between Numeric Types
EUVDB-ID: #VU51455
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-27218
CWE-ID:
CWE-681 - Incorrect Conversion between Numeric Types
Exploit availability: No
DescriptionThe vulnerability allows a local user to bypass implemented security restrictions.
The vulnerability exists due to incorrect conversion between numeric types in Gnome Glib. If g_byte_array_new_take() was called with a buffer of 4GB or more on a 64-bit platform, the length would be truncated modulo 2**32, causing unintended length truncation.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
38) Integer overflow
EUVDB-ID: #VU51456
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-27219
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to integer overflow within the g_bytes_new() function on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. A local user can run a specially crafted program to trigger an integer overflow and execute arbitrary code with elevated privileges.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
39) Out-of-bounds read
EUVDB-ID: #VU50329
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2019-25013
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary condition in GNU C Library within the iconv feature when processing multi-byte input sequences in the EUC-KR encoding. A remote attacker can pass specially crafted input to the application, trigger out-of-bounds read error and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
40) Out-of-bounds write
EUVDB-ID: #VU50362
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-29573
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary within the sysdeps/i386/ldbl2mpn.c in the GNU C Library on x86 systems. A remote attacker can pass specially crafted data to the application that uses the vulnerable version of glibc and crash it.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
41) Infinite loop
EUVDB-ID: #VU50404
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-27618
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within iconv implementation when processing multi-byte input sequences in IBM1364, IBM1371, IBM1388, IBM1390, IBM1399 encodings. A remote attacker can pass specially crafted data to the application, consume all available system resources and cause denial of service conditions.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
42) Reachable Assertion
EUVDB-ID: #VU50075
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-3326
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the iconv function in the GNU C Library (aka glibc or libc6) when processing invalid input sequences in the ISO-2022-JP-3 encoding. A remote attacker can pass specially crafted data to the application, trigger an assertion failure and crash the affected application.
Install update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
43) Spoofing attack
EUVDB-ID: #VU51664
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23984
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data. A malicious extension could have opened a popup window lacking an address bar. The title of the popup lacking an address bar should not be fully controllable, but in this situation was. This could have been used to spoof a website and attempt to trick the user into providing credentials.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
44) Use-after-free
EUVDB-ID: #VU51441
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-20231
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in client sending key_share extension. A remote attacker can trick the victim to connect to a malicious server using a large Client Hello message over TLS 1.3, trigger a use-after-free error and crash the application or execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
45) Use-after-free
EUVDB-ID: #VU51442
Risk: Low
CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2021-20232
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The
vulnerability exists due to a use-after-free error in client_send_params in lib/ext/pre_shared_key.c. A remote attacker can trick the victim to connect
to a malicious server using a large Client Hello message over TLS 1.3,
trigger a use-after-free error and crash the application or execute
arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
46) Use of a broken or risky cryptographic algorithm
EUVDB-ID: #VU52195
Risk: High
CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-20305
CWE-ID:
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A flaw was found in Nettle in versions before 3.7.2, where several Nettle signature verification functions (GOST DSA, EDDSA & ECDSA) result in the Elliptic Curve Cryptography point (ECC) multiply function being called with out-of-range scalers, possibly resulting in incorrect results. This flaw allows an attacker to force an invalid signature, causing an assertion failure or possible validation. The highest threat to this vulnerability is to confidentiality, integrity, as well as system availability.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
47) Input validation error
EUVDB-ID: #VU53336
Risk: Low
CVSSv4.0: 1.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2021-31535
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of color names within the XLookupColor() function. A local user can run a specially crafted application on the system and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
48) Integer overflow
EUVDB-ID: #VU53439
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2021-3520
CWE-ID:
CWE-190 - Integer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in the fast LZ compression algorithm library. A remote attacker can pass specially crafted archive, trick the victim into opening it, trigger integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
49) OS Command Injection
EUVDB-ID: #VU15169
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-16741
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary shell commands on the target system.
The vulnerability exists within mgetty before 1.2.1. In fax/faxq-helper.c, the function do_activate() due to improper sanitization of shell metacharacters. A local user can use ||, &&, or > characters within a file created by the "faxq-helper activate <jobid>" command to execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
50) Stack-based buffer overflow
EUVDB-ID: #VU31208
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2018-16742
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing a command-line parameter. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
51) Buffer overflow
EUVDB-ID: #VU31209
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-16743
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
An issue was discovered in mgetty before 1.2.1. In contrib/next-login/login.c, the command-line parameter username is passed unsanitized to strcpy(), which can cause a stack-based buffer overflow.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
52) OS Command Injection
EUVDB-ID: #VU31210
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-16744
CWE-ID:
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow for command injection if untrusted input can reach it, because popen is used.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
53) Buffer overflow
EUVDB-ID: #VU31211
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-16745
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to execute arbitrary code.
An issue was discovered in mgetty before 1.2.1. In fax_notify_mail() in faxrec.c, the mail_to parameter is not sanitized. It could allow a buffer overflow if long untrusted input can reach it.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
54) Out-of-bounds read
EUVDB-ID: #VU51661
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23981
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition during texture upload of a Pixel Buffer Object in WebGL. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
55) Information disclosure
EUVDB-ID: #VU51662
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-23982
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the way Firefox handles requests to internal hosts. Using techniques that built on the slipstream research, a malicious webpage could have scanned both an internal network's hosts as well as services running on the user's local machine utilizing WebRTC connections.
MitigationInstall update from vendor's website.
Vulnerable software versionsDell EMC Unity XT Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC UnityVSA Operating Environment (OE): before 5.1.2.0.5.007
Dell EMC Unity Operating Environment (OE): before 5.1.2.0.5.007
CPE2.3- cpe:2.3:h:dell:unity_xt:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unityvsa:*:*:*:*:*:*:*:*
- cpe:2.3:h:dell:unity:*:*:*:*:*:*:*:*
https://www.dell.com/support/kbdoc/fr-fr/printview/000194836/10/en
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
