CVE-2020-29489

Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user.

CVSS v3 6.7 MEDIUM
CVSS v2.0 4.6 MEDIUM

6.7^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

4.6^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 3.9 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://www.dell.com/support/kbdoc/000181248	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dell:emc_unity_operating_environment::::::::
	cpe:2.3:a:dell:emc_unity_vsa_operating_environment::::::::
	cpe:2.3:a:dell:emc_unity_xt_operating_environment::::::::

History

12 Jan 2021, 15:08

Type	Values Removed	Values Added
References	~~(MISC) https://www.dell.com/support/kbdoc/000181248 -~~	(MISC) https://www.dell.com/support/kbdoc/000181248 - Vendor Advisory
CPE		cpe:2.3:a:dell:emc_unity_vsa_operating_environment:::::::: cpe:2.3:a:dell:emc_unity_xt_operating_environment:::::::: cpe:2.3:a:dell:emc_unity_operating_environment::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 4.6 v3 : 6.7
CWE		CWE-312

05 Jan 2021, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-01-05 22:15

Updated : 2023-12-10 13:41

NVD link : CVE-2020-29489

Mitre link : CVE-2020-29489

CVE.ORG link : CVE-2020-29489

JSON object : View

Products Affected

dell

emc_unity_xt_operating_environment
emc_unity_operating_environment
emc_unity_vsa_operating_environment

CWE

CWE-312

Cleartext Storage of Sensitive Information

CWE-276

Incorrect Default Permissions

{"id": "CVE-2020-29489", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.6, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}, {"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.4, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.5}]}, "published": "2021-01-05T22:15:13.877", "references": [{"url": "https://www.dell.com/support/kbdoc/000181248", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}, {"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-276"}]}], "descriptions": [{"lang": "en", "value": "Dell EMC Unity, Unity XT, and UnityVSA versions prior to 5.0.4.0.5.012 contains a plain-text password storage vulnerability. A user credentials (including the Unisphere admin privilege user) password is stored in a plain text in a system file. A local authenticated attacker with access to the system files may use the exposed password to gain access with the privileges of the compromised user."}, {"lang": "es", "value": "Dell EMC Unity, Unity XT y UnityVSA versiones anteriores a 5.0.4.0.5.012, contienen una vulnerabilidad de almacenamiento de contrase\u00f1a de texto plano. Una contrase\u00f1a de credenciales de usuario (incluyendo privilegios de usuario administrador Unisphere) es almacenada en texto plano en un archivo del sistema. Un atacante autenticado local con acceso a archivos del sistema puede usar la contrase\u00f1a expuesta para conseguir acceso con los privilegios del usuario comprometido"}], "lastModified": "2021-01-12T15:08:11.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:emc_unity_operating_environment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "169B99ED-A85F-4121-AAA7-39892537615B", "versionEndExcluding": "5.0.4.0.5.012"}, {"criteria": "cpe:2.3:a:dell:emc_unity_vsa_operating_environment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1D769A28-9818-4264-8A6D-04AB8B82DE76", "versionEndExcluding": "5.0.4.0.5.012"}, {"criteria": "cpe:2.3:a:dell:emc_unity_xt_operating_environment:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "86AB432A-FAF3-4B9C-B15C-DCBF68C77EB5", "versionEndExcluding": "5.0.4.0.5.012"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}