// For flags

CVE-2022-23232

 

Severity Score

4.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale).

StorageGRID (anteriormente conocido como StorageGRID Webscale) versiones anteriores a 11.6.0, son susceptibles a una vulnerabilidad que, cuando es explotada con éxito, podría permitir que las cuentas de usuarios externos deshabilitadas, caducadas o bloqueadas accedan a los datos de S3 a los que presentaban acceso anteriormente. StorageGRID versión 11.6.0 obtiene el estado de la cuenta de usuario desde Active Directory o Azure y bloqueará el acceso a S3 de las cuentas de usuario deshabilitadas durante la posterior sincronización en segundo plano. Las cuentas de usuario caducadas o bloqueadas para Active Directory o Azure, o las cuentas de usuario deshabilitadas, caducadas o bloqueadas en fuentes de identidad distintas de Active Directory o Azure deben eliminarse manualmente de las membresías de grupo o eliminarse manualmente sus claves de S3 desde Tenant Manager en todas las versiones de StorageGRID (antes StorageGRID Webscale)

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-01-14 CVE Reserved
  • 2022-03-04 CVE Published
  • 2023-09-25 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
References (1)
URL Tag Source
URL Date SRC
URL Date SRC
URL Date SRC
https://security.netapp.com/advisory/NTAP-20220303-0009 2023-08-08
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Netapp
Search vendor "Netapp"
 Storagegrid
Search vendor "Netapp" for product "Storagegrid"
 < 11.6.0
Search vendor "Netapp" for product "Storagegrid" and version " < 11.6.0"
-
Affected