CVE-2020-29494 - OpenCVE

Dell EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a Path Traversal Vulnerability in PDM. A remote user could potentially exploit this vulnerability, to gain unauthorized write access to the arbitrary files stored on the server filesystem, causing deletion of arbitrary files.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:N/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Dell	Emc Integrated Data Protection Appliance Emc Avamar Server

Configuration 1 [-]

OR	cpe:2.3:a:dell:emc_avamar_server:19.1:::::::*
	cpe:2.3:a:dell:emc_avamar_server:19.2:::::::*
	cpe:2.3:a:dell:emc_avamar_server:19.3:::::::*
	cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.5:::::::*
	cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.6:::::::*

References

Link	Resource
https://www.dell.com/support/kbdoc/en-us/000181806/dsa-2020-272-dell-emc-avamar-server-security-update-for-multiple-vulnerabilities	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: dell

Published: 2021-01-12T00:00:00

Updated: 2021-01-14T21:10:15

Reserved: 2020-12-03T00:00:00

Link: CVE-2020-29494

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-01-14T21:15:13.507

Modified: 2021-01-21T18:04:06.460

Link: CVE-2020-29494

JSON object: View

Redhat Information

No data.

CWE

CWE-22

{"containers": {"cna": {"affected": [{"product": "Avamar", "vendor": "Dell", "versions": [{"lessThan": "HF 19.1, 19.2, 19.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2021-01-12T00:00:00", "descriptions": [{"lang": "en", "value": "Dell EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a Path Traversal Vulnerability in PDM. A remote user could potentially exploit this vulnerability, to gain unauthorized write access to the arbitrary files stored on the server filesystem, causing deletion of arbitrary files."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-14T21:10:15", "orgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "shortName": "dell"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.dell.com/support/kbdoc/en-us/000181806/dsa-2020-272-dell-emc-avamar-server-security-update-for-multiple-vulnerabilities"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secure@dell.com", "DATE_PUBLIC": "2021-01-12", "ID": "CVE-2020-29494", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Avamar", "version": {"version_data": [{"version_affected": "<", "version_value": "HF 19.1, 19.2, 19.3"}]}}]}, "vendor_name": "Dell"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Dell EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a Path Traversal Vulnerability in PDM. A remote user could potentially exploit this vulnerability, to gain unauthorized write access to the arbitrary files stored on the server filesystem, causing deletion of arbitrary files."}]}, "impact": {"cvss": {"baseScore": 8.7, "baseSeverity": "High", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}]}, "references": {"reference_data": [{"name": "https://www.dell.com/support/kbdoc/en-us/000181806/dsa-2020-272-dell-emc-avamar-server-security-update-for-multiple-vulnerabilities", "refsource": "MISC", "url": "https://www.dell.com/support/kbdoc/en-us/000181806/dsa-2020-272-dell-emc-avamar-server-security-update-for-multiple-vulnerabilities"}]}}}}, "cveMetadata": {"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe", "assignerShortName": "dell", "cveId": "CVE-2020-29494", "datePublished": "2021-01-12T00:00:00", "dateReserved": "2020-12-03T00:00:00", "dateUpdated": "2021-01-14T21:10:15", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dell:emc_avamar_server:19.1:*:*:*:*:*:*:*", "matchCriteriaId": "D055384E-1362-43FC-BD4C-9FAED912FE1F", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_avamar_server:19.2:*:*:*:*:*:*:*", "matchCriteriaId": "AB61C3E2-E97A-48FA-BECE-3593B77C1386", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_avamar_server:19.3:*:*:*:*:*:*:*", "matchCriteriaId": "C7FEBC8A-A479-4684-A870-19E5046EA3B0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.5:*:*:*:*:*:*:*", "matchCriteriaId": "DAE59022-84BF-48EF-8A9B-0F9A5C68B529", "vulnerable": true}, {"criteria": "cpe:2.3:a:dell:emc_integrated_data_protection_appliance:2.6:*:*:*:*:*:*:*", "matchCriteriaId": "F5D783F9-E4AD-41A8-B1F9-D52333B00D62", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Dell EMC Avamar Server, versions 19.1, 19.2, 19.3, contain a Path Traversal Vulnerability in PDM. A remote user could potentially exploit this vulnerability, to gain unauthorized write access to the arbitrary files stored on the server filesystem, causing deletion of arbitrary files."}, {"lang": "es", "value": "Dell EMC Avamar Server, versiones 19.1, 19.2, 19.3, contiene una vulnerabilidad de salto de ruta en PDM. Un usuario remoto podr\u00eda aprovechar esta vulnerabilidad para conseguir acceso de escritura no autorizado a los archivos arbitrarios almacenados en el sistema de archivos del servidor, causando la eliminaci\u00f3n de archivos arbitrarios"}], "id": "CVE-2020-29494", "lastModified": "2021-01-21T18:04:06.460", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security_alert@emc.com", "type": "Secondary"}]}, "published": "2021-01-14T21:15:13.507", "references": [{"source": "security_alert@emc.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.dell.com/support/kbdoc/en-us/000181806/dsa-2020-272-dell-emc-avamar-server-security-update-for-multiple-vulnerabilities"}], "sourceIdentifier": "security_alert@emc.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "security_alert@emc.com", "type": "Secondary"}]}