CVE-2023-4976

FlashBlade Authentication Mechanism Vulnerability

Severity Score

9.3

*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A flaw exists in Purity//FB whereby a local account is permitted to authenticate to the management interface using an unintended method that allows an attacker to gain privileged access to the array.

Existe una falla en Purity//FB por la cual se permite que una cuenta local se autentique en la interfaz de administración utilizando un método no deseado que permite a un atacante obtener acceso privilegiado a la matriz.

*Credits: N/A

CVSS Scores

Pure Storage, Inc.v4 9.3

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

System

Vulnerable | Subsequent

Confidentiality

High

None

Integrity

High

None

Availability

High

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2023-09-14 CVE Reserved
2024-07-17 CVE Published
2024-07-18 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-269: Improper Privilege Management

CAPEC

CAPEC-233: Privilege Escalation

References (1)

URL	Tag	Source
https://purestorage.com/security

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
PureStorage Search vendor "PureStorage"		FlashBlade Search vendor "PureStorage" for product "FlashBlade"				>= 3.3.5 <= 3.3.10 Search vendor "PureStorage" for product "FlashBlade" and version " >= 3.3.5 <= 3.3.10"		en		Affected
PureStorage Search vendor "PureStorage"		FlashBlade Search vendor "PureStorage" for product "FlashBlade"				>= 4.0.4 <= 4.0.6 Search vendor "PureStorage" for product "FlashBlade" and version " >= 4.0.4 <= 4.0.6"		en		Affected
PureStorage Search vendor "PureStorage"		FlashBlade Search vendor "PureStorage" for product "FlashBlade"				>= 4.1.0 <= 4.1.8 Search vendor "PureStorage" for product "FlashBlade" and version " >= 4.1.0 <= 4.1.8"		en		Affected
PureStorage Search vendor "PureStorage"		FlashBlade Search vendor "PureStorage" for product "FlashBlade"				>= 4.2.0 <= 4.2.2 Search vendor "PureStorage" for product "FlashBlade" and version " >= 4.2.0 <= 4.2.2"		en		Affected