CVE-2022-32268
https://notcve.org/view.php?id=CVE-2022-32268
StarWind SAN and NAS v0.2 build 1914 allow remote code execution. A flaw was found in REST API in StarWind Stack. REST command, which allows changing the hostname, doesn’t check a new hostname parameter. It goes directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. • https://www.starwindsoftware.com/security/sw-20220531-0001 •
CVE-2007-20001
https://notcve.org/view.php?id=CVE-2007-20001
A flaw was found in StarWind iSCSI target. An attacker could script standard iSCSI Initiator operation(s) to exhaust the StarWind service socket, which could lead to denial of service. This affects iSCSI SAN (Windows Native) Version 3.2.2 build 2007-02-20. Se ha encontrado un fallo en el objetivo iSCSI de StarWind. Un atacante podría programar operaciones estándar del iniciador iSCSI para agotar el socket de servicio de StarWind, lo que podría llevar a una denegación de servicio. • https://www.starwindsoftware.com/security/sw-20070601-0001 • CWE-400: Uncontrolled Resource Consumption •
CVE-2013-20004
https://notcve.org/view.php?id=CVE-2013-20004
A flaw was found in StarWind iSCSI target. StarWind service does not limit client connections and allocates memory on each connection attempt. An attacker could create a denial of service state by trying to connect a non-existent target multiple times. This affects iSCSI SAN (Windows Native) Version 6.0, build 2013-01-16. Se ha encontrado un fallo en el objetivo iSCSI de StarWind. • https://www.starwindsoftware.com/security/sw-20130215-0001 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-24551
https://notcve.org/view.php?id=CVE-2022-24551
A flaw was found in StarWind Stack. The endpoint for setting a new password doesn’t check the current username and old password. An attacker could reset any local user password (including system/administrator user) using any available user This affects StarWind SAN and NAS v0.2 build 1633. Se ha encontrado un fallo en StarWind Stack. El punto final para establecer una nueva contraseña no comprueba el nombre de usuario actual y la contraseña antigua. • https://www.starwindsoftware.com/security/sw-20220204-0001 • CWE-287: Improper Authentication •
CVE-2022-24552
https://notcve.org/view.php?id=CVE-2022-24552
A flaw was found in the REST API in StarWind Stack. REST command, which manipulates a virtual disk, doesn’t check input parameters. Some of them go directly to bash as part of a script. An attacker with non-root user access can inject arbitrary data into the command that will be executed with root privileges. This affects StarWind SAN and NAS v0.2 build 1633. • https://www.starwindsoftware.com/security/sw-20220203-0001 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •