CVE-2024-21985

Privilege Escalation Vulnerability in ONTAP 9

Severity Score

7.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10
and 9.13.1P4 are susceptible to a vulnerability which could allow an
authenticated user with multiple remote accounts with differing roles to
perform actions via REST API beyond their intended privilege. Possible
actions include viewing limited configuration details and metrics or
modifying limited settings, some of which could result in a Denial of
Service (DoS).

Las versiones de ONTAP 9 anteriores a 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 y 9.13.1P4 son susceptibles a una vulnerabilidad que podría permitir a un usuario autenticado con múltiples cuentas remotas con diferentes roles realizar acciones a través de la API REST más allá de su privilegio pretendido. Las posibles acciones incluyen ver métricas y detalles de configuración limitados o modificar configuraciones limitadas, algunas de las cuales podrían resultar en una denegación de servicio (DoS).

*Credits: N/A

CVSS Scores

NISTv3.1 7.6

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-03 CVE Reserved
2024-01-26 CVE Published
2024-02-06 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-269: Improper Privilege Management

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://security.netapp.com/advisory/ntap-20240126-0001	2024-02-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				>= 9.0 < 9.9.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version " >= 9.0 < 9.9.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				>= 9.10.0 < 9.10.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version " >= 9.10.0 < 9.10.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				>= 9.11.0 < 9.11.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version " >= 9.11.0 < 9.11.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				>= 9.12.0 < 9.12.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version " >= 9.12.0 < 9.12.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				>= 9.13.0 < 9.13.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version " >= 9.13.0 < 9.13.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				9.9.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version "9.9.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				9.10.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version "9.10.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				9.11.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version "9.11.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				9.12.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version "9.12.1"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				9.13.1 Search vendor "Netapp" for product "Clustered Data Ontap" and version "9.13.1"		-		Affected