CVE-2019-11998 - OpenCVE

HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via improper input validation of administrator commands. This vulnerability could allow an Administrator to bypass security restrictions and access multiple remote vulnerabilities including information disclosure, or denial of service. HPE has provided firmware updates that address the above vulnerabilities for the HPE Superdome Flex Server starting with firmware version v3.20.186 (not available online) and v3.20.206 (available online). Apply v3.20.206 (4 December 2019) or a newer version to resolve this issue. Please visit HPE Support Center https://support.hpe.com/hpesc/public/home to obtain the updated firmware for your product.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Hpe	Superdome Flex Server Firmware Superdome Flex Server

Configuration 1 [-]

AND

cpe:2.3:o:hpe:superdome_flex_server_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hpe:superdome_flex_server:-:*:*:*:*:*:*:*

References

Link	Resource
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03978en_us	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hpe

Published: 2020-01-16T18:56:51

Updated: 2020-01-16T18:56:51

Reserved: 2019-05-13T00:00:00

Link: CVE-2019-11998

JSON object: View

NVD Information

Status : Analyzed

Published: 2020-01-16T19:15:12.077

Modified: 2020-01-29T14:31:06.747

Link: CVE-2019-11998

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "HPE Superdome Flex Server", "vendor": "HPE", "versions": [{"status": "affected", "version": "Prior to v3.20.186"}]}], "descriptions": [{"lang": "en", "value": "HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via improper input validation of administrator commands. This vulnerability could allow an Administrator to bypass security restrictions and access multiple remote vulnerabilities including information disclosure, or denial of service. HPE has provided firmware updates that address the above vulnerabilities for the HPE Superdome Flex Server starting with firmware version v3.20.186 (not available online) and v3.20.206 (available online). Apply v3.20.206 (4 December 2019) or a newer version to resolve this issue. Please visit HPE Support Center https://support.hpe.com/hpesc/public/home to obtain the updated firmware for your product."}], "problemTypes": [{"descriptions": [{"description": "local multiple vulnerabilities", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-01-16T18:56:51", "orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03978en_us"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-alert@hpe.com", "ID": "CVE-2019-11998", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HPE Superdome Flex Server", "version": {"version_data": [{"version_value": "Prior to v3.20.186"}]}}]}, "vendor_name": "HPE"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via improper input validation of administrator commands. This vulnerability could allow an Administrator to bypass security restrictions and access multiple remote vulnerabilities including information disclosure, or denial of service. HPE has provided firmware updates that address the above vulnerabilities for the HPE Superdome Flex Server starting with firmware version v3.20.186 (not available online) and v3.20.206 (available online). Apply v3.20.206 (4 December 2019) or a newer version to resolve this issue. Please visit HPE Support Center https://support.hpe.com/hpesc/public/home to obtain the updated firmware for your product."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "local multiple vulnerabilities"}]}]}, "references": {"reference_data": [{"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03978en_us", "refsource": "CONFIRM", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03978en_us"}]}}}}, "cveMetadata": {"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "assignerShortName": "hpe", "cveId": "CVE-2019-11998", "datePublished": "2020-01-16T18:56:51", "dateReserved": "2019-05-13T00:00:00", "dateUpdated": "2020-01-16T18:56:51", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hpe:superdome_flex_server_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB8A5996-9312-4EE1-ABF0-4C52A4A4CA0E", "versionEndExcluding": "3.20.186", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hpe:superdome_flex_server:-:*:*:*:*:*:*:*", "matchCriteriaId": "74B3DA6F-91D3-4C17-A34B-6AA6B9642B3F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "HPE Superdome Flex Server is vulnerable to multiple remote vulnerabilities via improper input validation of administrator commands. This vulnerability could allow an Administrator to bypass security restrictions and access multiple remote vulnerabilities including information disclosure, or denial of service. HPE has provided firmware updates that address the above vulnerabilities for the HPE Superdome Flex Server starting with firmware version v3.20.186 (not available online) and v3.20.206 (available online). Apply v3.20.206 (4 December 2019) or a newer version to resolve this issue. Please visit HPE Support Center https://support.hpe.com/hpesc/public/home to obtain the updated firmware for your product."}, {"lang": "es", "value": "El servidor HPE Superdome Flex es vulnerable a m\u00faltiples vulnerabilidades remotas por medio de una comprobaci\u00f3n de entrada inapropiada de los comandos de administrador. Esta vulnerabilidad podr\u00eda permitir a un Administrador omitir las restricciones de seguridad y acceder a m\u00faltiples vulnerabilidades remotas, incluyendo una divulgaci\u00f3n de informaci\u00f3n o una denegaci\u00f3n de servicio. HPE ha proporcionado actualizaciones de firmware que abordan las vulnerabilidades anteriores para el servidor HPE Superdome Flex Server comenzando con las versiones de firmware v3.20.186 (no disponible en l\u00ednea) y v3.20.206 (disponible en l\u00ednea). Aplique la versi\u00f3n v3.20.206 (4 de diciembre de 2019) o una versi\u00f3n m\u00e1s nueva para resolver este problema. Por favor visite el Centro de Soporte de HPE https://support.hpe.com/hpesc/public/home para obtener el firmware actualizado para su producto."}], "id": "CVE-2019-11998", "lastModified": "2020-01-29T14:31:06.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-01-16T19:15:12.077", "references": [{"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03978en_us"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}