CVE-2022-34434 The Dell Cloud Mobility for Postgres database has an Improper Access Control vulnerability.
Cloud Mobility for Dell Storage versions 1.4.0 and later contain an Improper Authentication vulnerability within the authentication flow for user management within the vApp version of Cloud Mobility. A threat actor with root level access to the vApp version of Cloud Mobility may potentially exploit this vulnerability, allowing the threat actor to either gain unauthenticated access to any Cloud Mobility user, or to create new users with cloud-based management privileges. Exploitation of this vulnerability may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.
A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, allowing the threat actor to either gain unauthenticated access to any Cloud Mobility user, or to create new users with cloud-based management privileges. Exploitation of this vulnerability may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.
Vulnerability Scenario
A threat actor with root level access to either the vApp or containerized versions of Cloud Mobility may potentially exploit this vulnerability, allowing the threat actor to either gain unauthenticated access to any Cloud Mobility user, or to create new users with cloud-based management privileges. Exploitation of this vulnerability may lead to the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.
A threat actor with root level access to a vApp version of Cloud Mobility may exploit this vulnerability by creating new users within that same vApp. This could allow for an attacker with root level access to leverage user management capabilities within their own control panel so that they can monitor and/or manipulate data on behalf of those users.
An attacker who has achieved root level access to the containerized version of Cloud Mobility may exploit this vulnerability by leveraging user management capabilities in order to gain unauthorized access into other containers within the same instance. For example, if an attacker gains root level access into container 1, they have full control over all data in that container as well as any other containers in that same instance.
Potential Impact
An attacker may have unauthenticated access to an existing or newly created Cloud Mobility user. An attacker with root level access to the vApp version of Cloud Mobility may potentially create new users with cloud-based management privileges.
This vulnerability allows an unauthorized actor, such as a malicious third party, to gain unauthenticated access to any Cloud Mobility user's account, or bypass authorization and create new users with cloud-based management privileges. This may allow for the compromise of integrity and availability of the normal functionality of the Cloud Mobility application.
Timeline
Published on: 10/11/2022 17:15:00 UTC
Last modified on: 10/14/2022 03:26:00 UTC