CVE-2023-27316 - OpenCVE

SnapCenter versions 4.8 through 4.9 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Netapp	Snapcenter

Configuration 1 [-]

cpe:2.3:a:netapp:snapcenter:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://security.netapp.com/advisory/NTAP-20231012-0001/
https://security.netapp.com/advisory/ntap-20231012-0001/

History

Wed, 18 Sep 2024 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: netapp

Published: 2023-10-12T21:04:47.473Z

Updated: 2024-09-18T14:59:18.438Z

Reserved: 2023-02-28T17:20:57.462Z

Link: CVE-2023-27316

Vulnrichment

Updated: 2024-08-02T12:09:43.103Z

NVD

Status : Analyzed

Published: 2023-10-12T22:15:09.640

Modified: 2023-10-18T14:25:34.030

Link: CVE-2023-27316

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27316", "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "state": "PUBLISHED", "assignerShortName": "netapp", "dateReserved": "2023-02-28T17:20:57.462Z", "datePublished": "2023-10-12T21:04:47.473Z", "dateUpdated": "2024-09-18T14:59:18.438Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SnapCenter", "vendor": "NetApp", "versions": [{"lessThanOrEqual": "4.9", "status": "affected", "version": "4.8", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SnapCenter versions 4.8 through 4.9 are susceptible to a \nvulnerability which may allow an authenticated SnapCenter Server user to\n become an admin user on a remote system where a SnapCenter plug-in has \nbeen installed. \n\n"}], "value": "SnapCenter versions 4.8 through 4.9 are susceptible to a \nvulnerability which may allow an authenticated SnapCenter Server user to\n become an admin user on a remote system where a SnapCenter plug-in has \nbeen installed. \n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "shortName": "netapp", "dateUpdated": "2023-10-12T21:04:47.473Z"}, "references": [{"url": "https://security.netapp.com/advisory/NTAP-20231012-0001/"}, {"url": "https://security.netapp.com/advisory/ntap-20231012-0001/"}], "source": {"advisory": "NTAP-20231012-0001", "discovery": "UNKNOWN"}, "title": "Privilege Escalation Vulnerability in SnapCenter", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:09:43.103Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/NTAP-20231012-0001/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231012-0001/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-18T14:59:09.774586Z", "id": "CVE-2023-27316", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T14:59:18.438Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27316", "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "state": "PUBLISHED", "assignerShortName": "netapp", "dateReserved": "2023-02-28T17:20:57.462Z", "datePublished": "2023-10-12T21:04:47.473Z", "dateUpdated": "2024-09-18T14:59:18.438Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SnapCenter", "vendor": "NetApp", "versions": [{"lessThanOrEqual": "4.9", "status": "affected", "version": "4.8", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SnapCenter versions 4.8 through 4.9 are susceptible to a \nvulnerability which may allow an authenticated SnapCenter Server user to\n become an admin user on a remote system where a SnapCenter plug-in has \nbeen installed. \n\n"}], "value": "SnapCenter versions 4.8 through 4.9 are susceptible to a \nvulnerability which may allow an authenticated SnapCenter Server user to\n become an admin user on a remote system where a SnapCenter plug-in has \nbeen installed. \n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "shortName": "netapp", "dateUpdated": "2023-10-12T21:04:47.473Z"}, "references": [{"url": "https://security.netapp.com/advisory/NTAP-20231012-0001/"}, {"url": "https://security.netapp.com/advisory/ntap-20231012-0001/"}], "source": {"advisory": "NTAP-20231012-0001", "discovery": "UNKNOWN"}, "title": "Privilege Escalation Vulnerability in SnapCenter", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:09:43.103Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/NTAP-20231012-0001/", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231012-0001/", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-27316", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-18T14:59:09.774586Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-18T14:59:14.402Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:snapcenter:*:*:*:*:*:*:*:*", "matchCriteriaId": "4304E07C-4A87-4589-896A-7F2EEC1BC7E1", "versionEndIncluding": "4.9", "versionStartIncluding": "4.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SnapCenter versions 4.8 through 4.9 are susceptible to a \nvulnerability which may allow an authenticated SnapCenter Server user to\n become an admin user on a remote system where a SnapCenter plug-in has \nbeen installed. \n\n"}, {"lang": "es", "value": "Las versiones 4.8 a 4.9 de SnapCenter son susceptibles a una vulnerabilidad que puede permitir que un usuario autenticado de SnapCenter Server se convierta en usuario administrador en un sistema remoto donde se ha instalado un complemento de SnapCenter."}], "id": "CVE-2023-27316", "lastModified": "2023-10-18T14:25:34.030", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "security-alert@netapp.com", "type": "Secondary"}]}, "published": "2023-10-12T22:15:09.640", "references": [{"source": "security-alert@netapp.com", "tags": ["Vendor Advisory"], "url": "https://security.netapp.com/advisory/NTAP-20231012-0001/"}], "sourceIdentifier": "security-alert@netapp.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-alert@netapp.com", "type": "Secondary"}]}