CVE-2018-1211 - OpenCVE

Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a path traversal vulnerability in its Web server's URI parser which could be used to obtain specific sensitive data without authentication. A remote unauthenticated attacker may be able to read configuration settings from the iDRAC by querying specific URI strings.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Emc Idrac7 Emc Idrac8

Configuration 1 [-]

OR	cpe:2.3:a:dell:emc_idrac7::::::::
	cpe:2.3:a:dell:emc_idrac8::::::::

No data.

References

Link	Providers
http://en.community.dell.com/techcenter/extras/m/white_papers/20485410

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2018-03-23T14:00:00Z

Updated: 2024-09-16T20:22:05.961Z

Reserved: 2017-12-06T00:00:00

Link: CVE-2018-1211

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2018-03-23T14:29:00.353

Modified: 2018-04-19T14:55:46.837

Link: CVE-2018-1211

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "iDRAC7/iDRAC8", "vendor": "Dell EMC", "versions": [{"status": "affected", "version": "versions prior to 2.52.52.52"}]}], "datePublic": "2018-03-20T00:00:00", "descriptions": [{"lang": "en", "value": "Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a path traversal vulnerability in its Web server's URI parser which could be used to obtain specific sensitive data without authentication. A remote unauthenticated attacker may be able to read configuration settings from the iDRAC by querying specific URI strings."}], "problemTypes": [{"descriptions": [{"description": "path traversal vulnerability", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-03-23T13:57:01", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20485410"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security_alert@emc.com", "DATE_PUBLIC": "2018-03-20T00:00:00", "ID": "CVE-2018-1211", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "iDRAC7/iDRAC8", "version": {"version_data": [{"version_value": "versions prior to 2.52.52.52"}]}}]}, "vendor_name": "Dell EMC"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a path traversal vulnerability in its Web server's URI parser which could be used to obtain specific sensitive data without authentication. A remote unauthenticated attacker may be able to read configuration settings from the iDRAC by querying specific URI strings."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "path traversal vulnerability"}]}]}, "references": {"reference_data": [{"name": "http://en.community.dell.com/techcenter/extras/m/white_papers/20485410", "refsource": "MISC", "url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20485410"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:48.979Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20485410"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2018-1211", "datePublished": "2018-03-23T14:00:00Z", "dateReserved": "2017-12-06T00:00:00", "dateUpdated": "2024-09-16T20:22:05.961Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:emc_idrac7:*:*:*:*:*:*:*:*", "matchCriteriaId": "E41F5175-E4C0-40BC-A7AD-F0681CED1B35", "versionEndExcluding": "2.52.52.52", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_idrac8:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DB163F4-B9BB-4360-ADE0-402FB95C52CB", "versionEndExcluding": "2.52.52.52", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain a path traversal vulnerability in its Web server's URI parser which could be used to obtain specific sensitive data without authentication. A remote unauthenticated attacker may be able to read configuration settings from the iDRAC by querying specific URI strings."}, {"lang": "es", "value": "Dell EMC iDRAC7/iDRAC8, en versiones anteriores a la 2.52.52.52, contiene una vulnerabilidad de salto de directorio en su analizador URI del servidor web que podr\u00eda utilizarse para obtener informaci\u00f3n sensible espec\u00edfica sin autenticaci\u00f3n. Un atacante remoto no autenticado podr\u00eda leer los ajustes de configuraci\u00f3n del iDRAC consultando cadenas URI espec\u00edficas."}], "id": "CVE-2018-1211", "lastModified": "2018-04-19T14:55:46.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-23T14:29:00.353", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20485410"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}