CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1205
https://notcve.org/view.php?id=CVE-2018-1205
Dell EMC ScaleIO, versions prior to 2.5, do not properly handle some packet data in the MDM service. As a result, a remote attacker could potentially send specifically crafted packet data to the MDM service causing it to crash. Dell EMC ScaleIO, en versiones anteriores a la 2.5, no gestiona correctamente algunos datos de paquetes en el servicio MDM. Como resultado, un atacante remoto podría enviar datos de paquetes especialmente manipulados al servicio MDM, lo que provocaría su cierre inesperado. • http://seclists.org/fulldisclosure/2018/Mar/59 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1238
https://notcve.org/view.php?id=CVE-2018-1238
Dell EMC ScaleIO versions prior to 2.5, contain a command injection vulnerability in the Light Installation Agent (LIA). This component is used for central management of ScaleIO deployment and uses shell commands for certain actions. A remote malicious user, with network access to LIA and knowledge of the LIA administrative password, could potentially exploit this vulnerability to run arbitrary commands as root on the systems where LIAs are installed. Dell EMC ScaleIO, en versiones anteriores a la 2.5, contiene una vulnerabilidad de inyección de comandos en el agente de instalación Light installation Agent (LIA). Este componente se emplea para la gestión central de la implementación ScalelO y utiliza comandos shell para determinadas acciones. • http://seclists.org/fulldisclosure/2018/Mar/59 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1237
https://notcve.org/view.php?id=CVE-2018-1237
Dell EMC ScaleIO versions prior to 2.5, contain improper restriction of excessive authentication attempts on the Light installation Agent (LIA). This component is deployed on every server in the ScaleIO cluster and is used for central management of ScaleIO nodes. A remote malicious user, having network access to LIA, could potentially exploit this vulnerability to launch brute force guessing of user names and passwords of user accounts on the LIA. Dell EMC ScaleIO, en versiones anteriores a la 2.5, contiene una restricción incorrecta de intentos de autenticación excesivos en el agente de instalación Light installation Agent (LIA). Este componente se implementa en cada servidor del clúster ScalelO y se emplea para la gestión central de nodos ScalelO. • http://seclists.org/fulldisclosure/2018/Mar/59 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2018-1211
https://notcve.org/view.php?id=CVE-2018-1211
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a path traversal vulnerability in its Web server's URI parser which could be used to obtain specific sensitive data without authentication. A remote unauthenticated attacker may be able to read configuration settings from the iDRAC by querying specific URI strings. Dell EMC iDRAC7/iDRAC8, en versiones anteriores a la 2.52.52.52, contiene una vulnerabilidad de salto de directorio en su analizador URI del servidor web que podría utilizarse para obtener información sensible específica sin autenticación. Un atacante remoto no autenticado podría leer los ajustes de configuración del iDRAC consultando cadenas URI específicas. • http://en.community.dell.com/techcenter/extras/m/white_papers/20485410 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2018-1207
https://notcve.org/view.php?id=CVE-2018-1207
Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code. Dell EMC iDRAC7/iDRAC8, en versiones anteriores a la 2.52.52.52, contiene una vulnerabilidad de inyección CGI que podría utilizarse para ejecutar código remoto. Un atacante remoto no autenticado podría utilizar variables CGI para ejecutar código remoto. • https://github.com/un4gi/CVE-2018-1207 http://en.community.dell.com/techcenter/extras/m/white_papers/20485410 http://www.securityfocus.com/bid/103694 https://twitter.com/nicowaisman/status/977279766792466432 • CWE-94: Improper Control of Generation of Code ('Code Injection') •