#VU18509 Information disclosure in OnCommand Unified Manager Core Package - CVE-2019-5494

Cybersecurity Help s.r.o.

Published: 2019-05-16

Vulnerability identifier: #VU18509

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-5494

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
OnCommand Unified Manager Core Package
Server applications / Other server solutions

Vendor: NetApp

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to missing certain HTTP Security headers configuration. A remote attacker can gain unauthorized access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

OnCommand Unified Manager Core Package: 5.0 - 5.2.3

External links
https://security.netapp.com/advisory/ntap-20190509-0006/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in NetApp OnCommand Unified Manager Core Package