A vulnerability was found in NetApp ONTAP up to 9.9.1P17/9.10.1P15/9.11.1P12/9.12.1P1-1/9.13.1P3 and classified as critical. Affected by this issue is an unknown code block of the component REST API. The manipulation with an unknown input leads to a privileges management vulnerability. Using CWE to declare the problem leads to CWE-269. The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. Impacted is confidentiality, integrity, and availability. CVE summarizes:

ONTAP 9 versions prior to 9.9.1P18, 9.10.1P16, 9.11.1P13, 9.12.1P10 and 9.13.1P4 are susceptible to a vulnerability which could allow an authenticated user with multiple remote accounts with differing roles to perform actions via REST API beyond their intended privilege. Possible actions include viewing limited configuration details and metrics or modifying limited settings, some of which could result in a Denial of Service (DoS).

The weakness was shared 01/26/2024 as ntap-20240126-0001. The advisory is available at security.netapp.com. This vulnerability is handled as CVE-2024-21985 since 01/03/2024. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1068 by the MITRE ATT&CK project.

Applying the patch 9.9.1P18/9.10.1P16/9.11.1P13/9.12.1P10/9.13.1P4 is able to eliminate this problem.

The entries VDB-255095, VDB-255098, VDB-255667 and VDB-256812 are related to this item.

Productinfo

Vendor

• NetApp

Name

• ONTAP

Version

• 9.9.1P17
• 9.10.1P15
• 9.11.1P12
• 9.12.1P1-1
• 9.13.1P3

License

• commercial

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion