CVE-2022-26856

Dell EMC Repository Manager version 3.4.0 contains a plain-text password storage vulnerability. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application's database with privileges of the compromised account.

CVSS v3 7.8 HIGH
CVSS v2.0 2.1 LOW

7.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://www.dell.com/support/kbdoc/000197797	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dell:emc_repository_manager:3.4.0:*:*:*:*:*:*:*

History

03 May 2022, 19:13

Type	Values Removed	Values Added
References	~~(MISC) https://www.dell.com/support/kbdoc/000197797 -~~	(MISC) https://www.dell.com/support/kbdoc/000197797 - Vendor Advisory
First Time		Dell emc Repository Manager Dell
CPE		cpe:2.3:a:dell:emc_repository_manager:3.4.0:::::::*
CWE		CWE-522
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : 2.1 v3 : 7.8

21 Apr 2022, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-04-21 21:15

Updated : 2023-12-10 14:22

NVD link : CVE-2022-26856

Mitre link : CVE-2022-26856

CVE.ORG link : CVE-2022-26856

JSON object : View

Products Affected

dell

emc_repository_manager

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2022-26856", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.5}]}, "published": "2022-04-21T21:15:07.940", "references": [{"url": "https://www.dell.com/support/kbdoc/000197797", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}, {"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "Dell EMC Repository Manager version 3.4.0 contains a plain-text password storage vulnerability. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application's database with privileges of the compromised account."}, {"lang": "es", "value": "Dell EMC Repository Manager versi\u00f3n 3.4.0, contiene una vulnerabilidad en el almacenamiento de contrase\u00f1as de texto plano. Un atacante local podr\u00eda explotar esta vulnerabilidad, conllevando a una divulgaci\u00f3n de determinadas credenciales de usuario. El atacante podr\u00eda usar las credenciales expuestas para acceder a la base de datos de la aplicaci\u00f3n vulnerable con los privilegios de la cuenta comprometida"}], "lastModified": "2022-05-03T19:13:05.653", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:emc_repository_manager:3.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B997C1EE-40A4-4B20-B97E-9548B23EB96C"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}