CVE-2022-29085 - OpenCVE

Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Dell	Unity Operating Environment Unity Xt Operating Environment Unityvsa Operating Environment

Configuration 1 [-]

OR	cpe:2.3:a:dell:unity_operating_environment::::::::
	cpe:2.3:a:dell:unity_xt_operating_environment::::::::
	cpe:2.3:a:dell:unityvsa_operating_environment::::::::

No data.

References

Link	Providers
https://www.dell.com/support/kbdoc/000199050

History

No history.

MITRE

Status: PUBLISHED

Assigner: dell

Published: 2022-06-02T21:00:31.054830Z

Updated: 2024-09-17T03:23:38.857Z

Reserved: 2022-04-12T00:00:00

Link: CVE-2022-29085

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-06-02T21:15:07.880

Modified: 2022-06-13T16:59:23.247

Link: CVE-2022-29085

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Unity", "vendor": "Dell", "versions": [{"lessThan": "5.2.0.0.5.173", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2022-04-29T00:00:00", "descriptions": [{"lang": "en", "value": "Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-256", "description": "CWE-256: Unprotected Storage of Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-06-02T21:00:30", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.dell.com/support/kbdoc/000199050"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2022-04-29", "ID": "CVE-2022-29085", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Unity", "version": {"version_data": [{"version_affected": "<", "version_value": "5.2.0.0.5.173"}]}}]}, "vendor_name": "Dell"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user."}]}, "impact": {"cvss": {"baseScore": 6.4, "baseSeverity": "Medium", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-256: Unprotected Storage of Credentials"}]}]}, "references": {"reference_data": [{"name": "https://www.dell.com/support/kbdoc/000199050", "refsource": "MISC", "url": "https://www.dell.com/support/kbdoc/000199050"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T06:10:59.215Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.dell.com/support/kbdoc/000199050"}]}]}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2022-29085", "datePublished": "2022-06-02T21:00:31.054830Z", "dateReserved": "2022-04-12T00:00:00", "dateUpdated": "2024-09-17T03:23:38.857Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:unity_operating_environment:*:*:*:*:*:*:*:*", "matchCriteriaId": "4855E724-3CDB-403C-990A-BC40D11F164C", "versionEndExcluding": "5.2.0.0.5.173", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:unity_xt_operating_environment:*:*:*:*:*:*:*:*", "matchCriteriaId": "0F60B8C6-8F5B-4E0C-BAFD-764F24200CDA", "versionEndExcluding": "5.2.0.0.5.173", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:unityvsa_operating_environment:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA1CEA94-0334-4783-BB4B-8863BFEFB7B6", "versionEndExcluding": "5.2.0.0.5.173", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user."}, {"lang": "es", "value": "Dell Unity, Dell UnityVSA y Dell Unity XT versiones anteriores a la 5.2.0.0.5.173 contienen una vulnerabilidad en el almacenamiento de contrase\u00f1as de texto plano cuando son ejecutados determinadas herramientas fuera de la matriz en el sistema. Las credenciales de un usuario con altos privilegios son almacenadas en texto plano. Un usuario local malicioso con altos privilegios puede usar la contrase\u00f1a expuesta para conseguir acceso con los privilegios del usuario comprometido"}], "id": "CVE-2022-29085", "lastModified": "2022-06-13T16:59:23.247", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2022-06-02T21:15:07.880", "references": [{"source": "security_alert@emc.com", "tags": ["Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/000199050"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-256"}], "source": "security_alert@emc.com", "type": "Secondary"}]}