CVE-2023-6538 - OpenCVE

SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hitachi	System Management Unit System Management Unit Firmware

Configuration 1 [-]

AND

cpe:2.3:o:hitachi:system_management_unit_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hitachi:system_management_unit:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://knowledge.hitachivantara.com/Security/System_Management_Unit_(SMU)_versions_prior_to_14.8.7825.01%2C_used_to_manage_Hitachi_Vantara_NAS_products_is_susceptible_to_unintended_information_disclosure_via_unprivileged_access_to_SMU_configuration_backup_data.

History

No history.

MITRE

Status: PUBLISHED

Assigner: HITVAN

Published: 2023-12-11T17:54:11.961Z

Updated: 2024-08-02T08:35:13.612Z

Reserved: 2023-12-05T22:12:50.307Z

Link: CVE-2023-6538

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-12-11T18:15:30.250

Modified: 2023-12-14T17:02:15.203

Link: CVE-2023-6538

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-6538", "assignerOrgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "state": "PUBLISHED", "assignerShortName": "HITVAN", "dateReserved": "2023-12-05T22:12:50.307Z", "datePublished": "2023-12-11T17:54:11.961Z", "dateUpdated": "2024-08-02T08:35:13.612Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["System Management Unit (SMU)"], "product": "System Management Unit (SMU)", "vendor": "Hitachi Vantara", "versions": [{"lessThan": "14.8.7825.01", "status": "affected", "version": "6.0", "versionType": "Full release"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Arslan Masood"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles. "}], "value": "SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles. "}], "impacts": [{"capecId": "CAPEC-37", "descriptions": [{"lang": "en", "value": "CAPEC-37 Retrieve Embedded Sensitive Data"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "description": "CWE-285: Improper Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "dce6e192-ff49-4263-9134-f0beccb9bc13", "shortName": "HITVAN", "dateUpdated": "2023-12-12T16:37:19.900Z"}, "references": [{"url": "https://knowledge.hitachivantara.com/Security/System_Management_Unit_(SMU)_versions_prior_to_14.8.7825.01%2C_used_to_manage_Hitachi_Vantara_NAS_products_is_susceptible_to_unintended_information_disclosure_via_unprivileged_access_to_SMU_configuration_backup_data."}], "source": {"discovery": "EXTERNAL"}, "title": "System Management Unit (SMU) versions prior to 14.8.7825.01, used to manage Hitachi Vantara NAS products is susceptible to unintended information disclosure via unprivileged access to SMU configuration backup data.", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:35:13.612Z"}, "title": "CVE Program Container", "references": [{"url": "https://knowledge.hitachivantara.com/Security/System_Management_Unit_(SMU)_versions_prior_to_14.8.7825.01%2C_used_to_manage_Hitachi_Vantara_NAS_products_is_susceptible_to_unintended_information_disclosure_via_unprivileged_access_to_SMU_configuration_backup_data.", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hitachi:system_management_unit_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DBFB3A6-CDAB-4988-8471-23B6C147F797", "versionEndExcluding": "14.8.7825.01", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hitachi:system_management_unit:-:*:*:*:*:*:*:*", "matchCriteriaId": "97B0CC62-7F81-4A12-880B-9954CF9EA323", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles. "}, {"lang": "es", "value": "Las versiones de SMU anteriores a 14.8.7825.01 son susceptibles a la divulgaci\u00f3n de informaci\u00f3n no intencionada mediante la manipulaci\u00f3n de URL. Los usuarios autenticados en funciones administrativas de Almacenamiento, Servidor o combinadas de Servidor+Almacenamiento pueden acceder a la copia de seguridad de la configuraci\u00f3n de SMU, que normalmente estar\u00eda prohibida para esas funciones administrativas espec\u00edficas."}], "id": "CVE-2023-6538", "lastModified": "2023-12-14T17:02:15.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}]}, "published": "2023-12-11T18:15:30.250", "references": [{"source": "security.vulnerabilities@hitachivantara.com", "tags": ["Vendor Advisory"], "url": "https://knowledge.hitachivantara.com/Security/System_Management_Unit_(SMU)_versions_prior_to_14.8.7825.01%2C_used_to_manage_Hitachi_Vantara_NAS_products_is_susceptible_to_unintended_information_disclosure_via_unprivileged_access_to_SMU_configuration_backup_data."}], "sourceIdentifier": "security.vulnerabilities@hitachivantara.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "security.vulnerabilities@hitachivantara.com", "type": "Secondary"}]}