CVE-2024-0005

Published: Sep 23, 2024Modified: Sep 27, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A condition exists in FlashArray and FlashBlade Purity whereby a malicious user could execute arbitrary commands remotely through a specifically crafted SNMP configuration.

Affected (20)

Products: Purestorage: Purity//fa, Purity//fb

Purestorage

2 products

Purity//fa

Purity//fb

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Purestorage Purity//fa	From 5.0.0 to 5.0.11
Purestorage Purity//fa	From 5.1.0 to 5.1.17
Purestorage Purity//fa	From 5.2.0 to 5.2.7
Purestorage Purity//fa	From 5.3.0 to 5.3.21
Purestorage Purity//fa	From 6.0.0 to 6.0.9
Purestorage Purity//fa	From 6.1.0 to 6.1.25
Purestorage Purity//fa	From 6.2.0 to 6.2.17
Purestorage Purity//fa	From 6.3.0 to 6.3.14
Purestorage Purity//fa	From 6.4.0 to 6.4.10
Purestorage Purity//fa	Version 6.5.0
Purestorage Purity//fa	Version 6.6.0

Configuration B

9 vulnerable

Vulnerable Software	Affected Versions
Purestorage Purity//fb	From 3.0.0 to 3.0.9
Purestorage Purity//fb	From 3.1.0 to 3.1.5
Purestorage Purity//fb	From 3.2.0 to 3.2.10
Purestorage Purity//fb	From 3.3.0 to 3.3.11
Purestorage Purity//fb	From 4.0.0 to 4.0.6
Purestorage Purity//fb	From 4.1.0 to 4.1.10
Purestorage Purity//fb	From 4.2.0 to 4.2.3
Purestorage Purity//fb	Version 4.3.0
Purestorage Purity//fb	Version 4.3.1

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (1)

https://purestorage.com/security

Source: psirt@purestorage.com

Vendor Advisory

Timeline

No history available yet.