CVE-2024-22229

Dell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000213152/dsa-2023-141-dell-unity-unity-vsa-and-unity-xt-security-update-for-multiple-vulnerabilities	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:dell:unity_operating_environment:5.3.0.0.5.120:::::::*
	cpe:2.3:a:dell:unity_xt_operating_environment:5.3.0.0.5.120:::::::*
	cpe:2.3:a:dell:unityvsa_operating_environment:5.3.0.0.5.120:::::::*

History

No history.

Information

Published : 2024-01-24 17:15

Updated : 2024-01-30 23:01

NVD link : CVE-2024-22229

Mitre link : CVE-2024-22229

CVE.ORG link : CVE-2024-22229

JSON object : View

Products Affected

dell

unity_xt_operating_environment
unityvsa_operating_environment
unity_operating_environment

CWE

CWE-116

Improper Encoding or Escaping of Output

CWE-117

Improper Output Neutralization for Logs

{"id": "CVE-2024-22229", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security_alert@emc.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.6}]}, "published": "2024-01-24T17:15:08.410", "references": [{"url": "https://www.dell.com/support/kbdoc/en-us/000213152/dsa-2023-141-dell-unity-unity-vsa-and-unity-xt-security-update-for-multiple-vulnerabilities", "tags": ["Vendor Advisory"], "source": "security_alert@emc.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-116"}]}, {"type": "Secondary", "source": "security_alert@emc.com", "description": [{"lang": "en", "value": "CWE-117"}]}], "descriptions": [{"lang": "en", "value": "\nDell Unity, versions prior to 5.4, contain a vulnerability whereby log messages can be spoofed by an authenticated attacker. An attacker could exploit this vulnerability to forge log entries, create false alarms, and inject malicious content into logs that compromise logs integrity. A malicious attacker could also prevent the product from logging information while malicious actions are performed or implicate an arbitrary user for malicious activities.\n\n"}, {"lang": "es", "value": "Dell Unity, versiones anteriores a la 5.4, contienen una vulnerabilidad por la cual un atacante autenticado puede falsificar los mensajes de registro. Un atacante podr\u00eda aprovechar esta vulnerabilidad para falsificar entradas de registro, crear falsas alarmas e inyectar contenido malicioso en registros que comprometan su integridad. Un atacante malicioso tambi\u00e9n podr\u00eda impedir que el producto registre informaci\u00f3n mientras se realizan acciones maliciosas o implicar a un usuario arbitrario por actividades maliciosas."}], "lastModified": "2024-01-30T23:01:36.513", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dell:unity_operating_environment:5.3.0.0.5.120:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "893E7ED1-18F4-479B-8319-168155EC6052"}, {"criteria": "cpe:2.3:a:dell:unity_xt_operating_environment:5.3.0.0.5.120:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8102E9B0-BF83-464E-B199-99C9B26C55A0"}, {"criteria": "cpe:2.3:a:dell:unityvsa_operating_environment:5.3.0.0.5.120:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E7A21556-3794-40D5-A577-79D64A2C588A"}], "operator": "OR"}]}], "sourceIdentifier": "security_alert@emc.com"}