CVE-2020-7138

Potential remote code execution security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to gain elevated privileges on the array. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 3.9.3.0 4.5.6.0 5.0.9.0 5.1.4.100

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03992en_us	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

OR	cpe:2.3:o:hpe:nimbleos::::::::
	cpe:2.3:o:hpe:nimbleos::::::::
	cpe:2.3:o:hpe:nimbleos::::::::
	cpe:2.3:o:hpe:nimbleos::::::::

OR	cpe:2.3:h:hpe:nimble_storage_af20_all_flash_array:-:::::::*
	cpe:2.3:h:hpe:nimble_storage_af20q_all_flash_dual_controller:-:::::::*
	cpe:2.3:h:hpe:nimble_storage_af40_all_flash_dual_controller:-:::::::*
	cpe:2.3:h:hpe:nimble_storage_af60_all_flash_dual_controller:-:::::::*
	cpe:2.3:h:hpe:nimble_storage_af80_all_flash_dual_controller:-:::::::*
	cpe:2.3:h:hpe:nimble_storage_cs3000:-:::::::*
	cpe:2.3:h:hpe:nimble_storage_cs5000:-:::::::*
	cpe:2.3:h:hpe:nimble_storage_cs7000:-:::::::*
	cpe:2.3:h:hpe:nimble_storage_secondary_flash_arrays:-:::::::*

History

No history.

Information

Published : 2020-05-19 23:15

Updated : 2024-02-04 21:00

NVD link : CVE-2020-7138

Mitre link : CVE-2020-7138

CVE.ORG link : CVE-2020-7138

JSON object : View

Products Affected

hpe

nimble_storage_cs7000
nimbleos
nimble_storage_af20_all_flash_array
nimble_storage_af40_all_flash_dual_controller
nimble_storage_cs3000
nimble_storage_cs5000
nimble_storage_af20q_all_flash_dual_controller
nimble_storage_af80_all_flash_dual_controller
nimble_storage_secondary_flash_arrays
nimble_storage_af60_all_flash_dual_controller

CWE

NVD-CWE-noinfo

{"id": "CVE-2020-7138", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2020-05-19T23:15:09.867", "references": [{"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03992en_us", "tags": ["Vendor Advisory"], "source": "security-alert@hpe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Potential remote code execution security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to gain elevated privileges on the array. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 3.9.3.0 4.5.6.0 5.0.9.0 5.1.4.100"}, {"lang": "es", "value": "Se han identificado potenciales vulnerabilidades de seguridad en la ejecuci\u00f3n de c\u00f3digo remota con los sistemas HPE Nimble Storage que podr\u00edan ser explotadas por un atacante para alcanzar privilegios elevados en la matriz. Las siguientes versiones de NimbleOS, y todas las posteriores, contienen una correcci\u00f3n de software para esta vulnerabilidad: 3.9.3.0 4.5.6.0 5.0.9.0 5.1.4.100"}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hpe:nimbleos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7ED4835A-3E32-4A49-A4AB-34C70B4B5104", "versionEndIncluding": "3.9.3.0", "versionStartIncluding": "3.1.0.0"}, {"criteria": "cpe:2.3:o:hpe:nimbleos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A2C0C83-5678-41EC-A684-DF92D20B1F44", "versionEndIncluding": "4.5.6.0", "versionStartIncluding": "4.1.0.0"}, {"criteria": "cpe:2.3:o:hpe:nimbleos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B7190EA9-2B90-4499-99E3-7A1B3DC178EC", "versionEndIncluding": "5.0.9.0", "versionStartIncluding": "5.0.1.0"}, {"criteria": "cpe:2.3:o:hpe:nimbleos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FC12F4A-EB6E-40C9-ACD1-13543D059C15", "versionEndIncluding": "5.1.4.100", "versionStartIncluding": "5.1.0.0"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hpe:nimble_storage_af20_all_flash_array:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "80CF1BE0-0224-4190-BBC6-7D4373234E85"}, {"criteria": "cpe:2.3:h:hpe:nimble_storage_af20q_all_flash_dual_controller:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D5E0887F-E894-4821-A171-96D758A8F8CE"}, {"criteria": "cpe:2.3:h:hpe:nimble_storage_af40_all_flash_dual_controller:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "14AC79A7-DDF9-4212-AAEC-458FA7E5E06A"}, {"criteria": "cpe:2.3:h:hpe:nimble_storage_af60_all_flash_dual_controller:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F7985641-BC1A-42B6-8B61-147848AB77AF"}, {"criteria": "cpe:2.3:h:hpe:nimble_storage_af80_all_flash_dual_controller:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "508699FE-1F81-43EE-848F-203420217356"}, {"criteria": "cpe:2.3:h:hpe:nimble_storage_cs3000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DFD2E78D-2C8F-46BA-804C-10110687F148"}, {"criteria": "cpe:2.3:h:hpe:nimble_storage_cs5000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DB8C5FF4-BF19-4E0C-BDED-AEBE75E95D7C"}, {"criteria": "cpe:2.3:h:hpe:nimble_storage_cs7000:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "009451E7-756D-47DD-954F-5041389E7C36"}, {"criteria": "cpe:2.3:h:hpe:nimble_storage_secondary_flash_arrays:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DD1E0DC2-CBA3-4921-8458-705F6709E3D5"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security-alert@hpe.com"}