CVE-2023-28373 - Vulnerability Details - OpenCVE

A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Purestorage	Purity\/\/fa

Configuration 1 [-]

OR	cpe:2.3:a:purestorage:purity\/\/fa::::::::
	cpe:2.3:a:purestorage:purity\/\/fa::::::::
	cpe:2.3:a:purestorage:purity\/\/fa::::::::
	cpe:2.3:a:purestorage:purity\/\/fa:6.4.0:::::::*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-32069	A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode.

Fixes

Solution

This issue is resolved in FlashArray Purity (OE) versions 6.1.23 or later, 6.2.16 or later, 6.3.7 or later, 6.4.1 or later

Workaround

No workaround given by the vendor.

References

Link	Providers
https://support.purestorage.com/Employee_Handbooks/Technical_Services/PSIRT/Security_Bulletin_for_FlashArray_SafeMode_Immutable_Vulnerability_CVE-2023-28373

History

Mon, 23 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: PureStorage

Published: 2023-10-02T23:02:31.591Z

Updated: 2024-09-23T13:43:23.214Z

Reserved: 2023-03-15T04:06:47.635Z

Link: CVE-2023-28373

Vulnrichment

Updated: 2024-08-02T12:38:24.928Z

NVD

Status : Modified

Published: 2023-10-03T00:15:09.913

Modified: 2024-11-21T07:54:56.747

Link: CVE-2023-28373

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-28373", "assignerOrgId": "3895c224-4e1d-482a-adb3-fa64795683ac", "state": "PUBLISHED", "assignerShortName": "PureStorage", "dateReserved": "2023-03-15T04:06:47.635Z", "datePublished": "2023-10-02T23:02:31.591Z", "dateUpdated": "2024-09-23T13:43:23.214Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["SafeMode"], "product": "FlashArray Purity", "vendor": "Pure Storage", "versions": [{"lessThanOrEqual": "6.1.22", "status": "affected", "version": "6.1.0", "versionType": "custom"}, {"lessThanOrEqual": "6.2.15", "status": "affected", "version": "6.2.0", "versionType": "custom"}, {"lessThanOrEqual": "6.3.6", "status": "affected", "version": "6.3.0", "versionType": "custom"}, {"status": "affected", "version": "6.4.0"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Mountain America Credit Union (MACU) "}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode. </span><br>"}], "value": "A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode. \n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "3895c224-4e1d-482a-adb3-fa64795683ac", "shortName": "PureStorage", "dateUpdated": "2023-10-02T23:02:31.591Z"}, "references": [{"url": "https://support.purestorage.com/Employee_Handbooks/Technical_Services/PSIRT/Security_Bulletin_for_FlashArray_SafeMode_Immutable_Vulnerability_CVE-2023-28373"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">This issue is resolved in FlashArray Purity (OE) versions 6.1.23 or later, 6.2.16 or later, 6.3.7 or later, 6.4.1 or later</span><br>"}], "value": "This issue is resolved in FlashArray Purity (OE) versions 6.1.23 or later, 6.2.16 or later, 6.3.7 or later, 6.4.1 or later\n"}], "source": {"discovery": "USER"}, "title": "FlashArray SafeMode Immutable Vulnerability ", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:24.928Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.purestorage.com/Employee_Handbooks/Technical_Services/PSIRT/Security_Bulletin_for_FlashArray_SafeMode_Immutable_Vulnerability_CVE-2023-28373", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T13:43:15.300807Z", "id": "CVE-2023-28373", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T13:43:23.214Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://support.purestorage.com/Employee_Handbooks/Technical_Services/PSIRT/Security_Bulletin_for_FlashArray_SafeMode_Immutable_Vulnerability_CVE-2023-28373", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:38:24.928Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-28373", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-23T13:43:15.300807Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T13:43:19.284Z"}}], "cna": {"title": "FlashArray SafeMode Immutable Vulnerability ", "source": {"discovery": "USER"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Mountain America Credit Union (MACU) "}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Pure Storage", "modules": ["SafeMode"], "product": "FlashArray Purity", "versions": [{"status": "affected", "version": "6.1.0", "versionType": "custom", "lessThanOrEqual": "6.1.22"}, {"status": "affected", "version": "6.2.0", "versionType": "custom", "lessThanOrEqual": "6.2.15"}, {"status": "affected", "version": "6.3.0", "versionType": "custom", "lessThanOrEqual": "6.3.6"}, {"status": "affected", "version": "6.4.0"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "This issue is resolved in FlashArray Purity (OE) versions 6.1.23 or later, 6.2.16 or later, 6.3.7 or later, 6.4.1 or later\n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">This issue is resolved in FlashArray Purity (OE) versions 6.1.23 or later, 6.2.16 or later, 6.3.7 or later, 6.4.1 or later</span><br>", "base64": false}]}], "references": [{"url": "https://support.purestorage.com/Employee_Handbooks/Technical_Services/PSIRT/Security_Bulletin_for_FlashArray_SafeMode_Immutable_Vulnerability_CVE-2023-28373"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode. \n", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode. </span><br>", "base64": false}]}], "providerMetadata": {"orgId": "3895c224-4e1d-482a-adb3-fa64795683ac", "shortName": "PureStorage", "dateUpdated": "2023-10-02T23:02:31.591Z"}}}, "cveMetadata": {"cveId": "CVE-2023-28373", "state": "PUBLISHED", "dateUpdated": "2024-09-23T13:43:23.214Z", "dateReserved": "2023-03-15T04:06:47.635Z", "assignerOrgId": "3895c224-4e1d-482a-adb3-fa64795683ac", "datePublished": "2023-10-02T23:02:31.591Z", "assignerShortName": "PureStorage"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:purestorage:purity\\/\\/fa:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F59FAA6-8982-4800-A1C4-10F22D48EC8A", "versionEndIncluding": "6.1.22", "versionStartIncluding": "6.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:purestorage:purity\\/\\/fa:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FFCC8E3-F18E-4013-AE72-7C2FBB9AAA73", "versionEndIncluding": "6.2.15", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:purestorage:purity\\/\\/fa:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C2DB4EF-77FB-43E8-B87B-D1B8173BB6EB", "versionEndIncluding": "6.3.6", "versionStartIncluding": "6.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:purestorage:purity\\/\\/fa:6.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "9B9E8C5D-640F-42DB-8842-5D381EF9FF35", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw exists in FlashArray Purity whereby an array administrator by configuring an external key manager can affect the availability of data on the system including snapshots protected by SafeMode. \n"}, {"lang": "es", "value": "Existe una falla en FlashArray Purity por la cual un administrador de matriz, al configurar un administrador de claves externo, puede afectar la disponibilidad de los datos en el sistema, incluidas las instant\u00e1neas protegidas por SafeMode."}], "id": "CVE-2023-28373", "lastModified": "2024-11-21T07:54:56.747", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 3.6, "source": "psirt@purestorage.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-03T00:15:09.913", "references": [{"source": "psirt@purestorage.com", "tags": ["Vendor Advisory"], "url": "https://support.purestorage.com/Employee_Handbooks/Technical_Services/PSIRT/Security_Bulletin_for_FlashArray_SafeMode_Immutable_Vulnerability_CVE-2023-28373"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.purestorage.com/Employee_Handbooks/Technical_Services/PSIRT/Security_Bulletin_for_FlashArray_SafeMode_Immutable_Vulnerability_CVE-2023-28373"}], "sourceIdentifier": "psirt@purestorage.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}