CVE-2022-28620

A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27; All Slingshot versions prior to 1.7.2; All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27. HPE has provided a software update to resolve this vulnerability in HPE Cray Legacy Shasta System Solutions, HPE Slingshot, and HPE Cray EX Supercomputers.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us	Vendor Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:hpe:slingshot_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hpe:slingshot:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.4.27:::::::*
	cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.5.33:::::::*
	cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.6.27:::::::*

cpe:2.3:h:hpe:cray_ex_supercomputers:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.4.27:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.5.33:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.6.27:::::::*

cpe:2.3:h:hpe:cray_sh_supercomputer_air_cooled_base_system_code:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.4.27:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.5.33:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.6.27:::::::*

cpe:2.3:h:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.4.27:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.5.33:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.6.27:::::::*

cpe:2.3:h:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code:-:*:*:*:*:*:*:*

History

21 Nov 2024, 06:57

Type	Values Removed	Values Added
References	~~() https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us - Vendor Advisory~~	() https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us - Vendor Advisory

08 Aug 2023, 14:21

Type	Values Removed	Values Added
CWE	~~CWE-287~~	NVD-CWE-noinfo

05 Jul 2022, 17:20

Type	Values Removed	Values Added
CWE		CWE-287
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 7.5 v3 : 9.8
References	~~(MISC) https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us -~~	(MISC) https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us - Vendor Advisory
CPE		cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.5.33:::::::* cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.4.27:::::::* cpe:2.3:h:hpe:cray_sh_supercomputer_air_cooled_base_system_code:-:::::::* cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.5.33:::::::* cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.6.27:::::::* cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.5.33:::::::* cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.5.33:::::::* cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.4.27:::::::* cpe:2.3:h:hpe:slingshot:-:::::::* cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.6.27:::::::* cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.6.27:::::::* cpe:2.3:h:hpe:cray_ex_supercomputers:-:::::::* cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.4.27:::::::* cpe:2.3:o:hpe:slingshot_firmware:::::::: cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.6.27:::::::* cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.4.27:::::::* cpe:2.3:h:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code:-:::::::* cpe:2.3:h:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code:-:::::::*

24 Jun 2022, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-06-24 15:15

Updated : 2024-11-21 06:57

NVD link : CVE-2022-28620

Mitre link : CVE-2022-28620

CVE.ORG link : CVE-2022-28620

JSON object : View

Products Affected

hpe

slingshot
cray_sh_supercomputer_liquid_cooled_tds_base_system_code
cray_sh_supercomputer_air_cooled_base_system_code
cray_sh_supercomputer_liquid_cooled_base_system_code
cray_sh_supercomputer_air_cooled_base_system_code_firmware
cray_ex_supercomputers_firmware
cray_ex_supercomputers
cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware
cray_sh_supercomputer_liquid_cooled_base_system_code_firmware
slingshot_firmware

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-28620", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-06-24T15:15:10.300", "references": [{"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us", "tags": ["Vendor Advisory"], "source": "security-alert@hpe.com"}, {"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27; All Slingshot versions prior to 1.7.2; All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27. HPE has provided a software update to resolve this vulnerability in HPE Cray Legacy Shasta System Solutions, HPE Slingshot, and HPE Cray EX Supercomputers."}, {"lang": "es", "value": "Se ha detectado una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n remota en HPE Cray Legacy Shasta System Solutions versiones; HPE Slingshot; y HPE Cray EX: Antes del firmware del controlador de nodo asociado a HPE Cray EX liquid cooled blades, y todas las versiones del firmware del controlador de chasis asociado a HPE Cray EX liquid cooled cabinets anteriores a 1.6.27/1.5.33/1.4.27; Todas las versiones de Slingshot anteriores a 1.7.2; Todas las versiones del firmware del controlador de nodo asociado a HPE Cray EX liquid cooled blades, y todas las versiones del firmware de HPE Cray EX liquid cooled cabinets anteriores a 1.6.27/1.5.33/1.4.27. HPE ha proporcionado una actualizaci\u00f3n de software para resolver esta vulnerabilidad en HPE Cray Legacy Shasta System Solutions, HPE Slingshot y HPE Cray EX Supercomputers"}], "lastModified": "2024-11-21T06:57:35.767", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hpe:slingshot_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ED8D592F-2D4B-490B-A42E-B07EBB57D0D0", "versionEndExcluding": "1.7.2"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hpe:slingshot:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "33DBC1FC-8EE1-4A57-81A0-AC2DAD200A87"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.4.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "790D6EEC-1775-4DA9-B1FB-2B1082CD9139"}, {"criteria": "cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.5.33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "64F46EDC-F1A1-490A-8969-0A724537FECA"}, {"criteria": "cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.6.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E78EA7A-76CE-43D2-9F6E-D6099584E0B5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hpe:cray_ex_supercomputers:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "46057B8D-39B9-46E3-A821-7E262774D46E"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.4.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "08571947-2DAA-4B42-9613-D0D0525556C9"}, {"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.5.33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95507560-65C6-4874-AFAF-B0D74E4F0286"}, {"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.6.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9A1B9BF-204C-40DF-8322-97F454D7CF1A"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hpe:cray_sh_supercomputer_air_cooled_base_system_code:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "53FE5407-8D04-4A4D-9637-630DDED6487D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.4.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D183ECC8-D3CA-46C6-AA21-D1248B19FF46"}, {"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.5.33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D62FC0A-B91E-4368-B184-32087B105775"}, {"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.6.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19EFA80F-C642-4E43-ACBA-A5ABDFCBBE0D"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "75CB1243-32CF-423D-8BBD-9DD24BE717E7"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.4.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B01A0B0-365C-45AF-A5E4-C67E8874A29A"}, {"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.5.33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97A7879B-D0F5-4C6A-9C6B-FB20AAA3D5AC"}, {"criteria": "cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.6.27:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04ED6DCA-907B-4CAF-82DD-DBC2F8B35EE7"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C7A9C174-0419-48EA-99B7-F0464DE32C05"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security-alert@hpe.com"}

9.8 /10