CVE-2020-7138 : Potential remote code execution security vulnerabilities have been identified wi

Potential remote code execution security vulnerabilities have been identified with HPE Nimble Storage systems that could be exploited by an attacker to gain elevated privileges on the array. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 3.9.3.0 4.5.6.0 5.0.9.0 5.1.4.100

Published 2020-05-19 23:15:10

Updated 2021-07-21 11:39:24

Source Hewlett Packard Enterprise (HPE)

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2020-7138

HPE » Nimbleos
Versions from including (>=) 4.1.0.0 and up to, including, (<=) 4.5.6.0
cpe:2.3:o:hpe:nimbleos:*:*:*:*:*:*:*:*
Matching versions
When used together with: HPE » Nimble Storage Af20 All Flash Array » Version: N/A
When used together with: HPE » Nimble Storage Af20q All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af40 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af60 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af80 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Cs3000 » Version: N/A
When used together with: HPE » Nimble Storage Cs5000 » Version: N/A
When used together with: HPE » Nimble Storage Cs7000 » Version: N/A
When used together with: HPE » Nimble Storage Secondary Flash Arrays » Version: N/A
HPE » Nimbleos
Versions from including (>=) 5.1.0.0 and up to, including, (<=) 5.1.4.100
cpe:2.3:o:hpe:nimbleos:*:*:*:*:*:*:*:*
Matching versions
When used together with: HPE » Nimble Storage Af20 All Flash Array » Version: N/A
When used together with: HPE » Nimble Storage Af20q All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af40 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af60 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af80 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Cs3000 » Version: N/A
When used together with: HPE » Nimble Storage Cs5000 » Version: N/A
When used together with: HPE » Nimble Storage Cs7000 » Version: N/A
When used together with: HPE » Nimble Storage Secondary Flash Arrays » Version: N/A
HPE » Nimbleos
Versions from including (>=) 3.1.0.0 and up to, including, (<=) 3.9.3.0
cpe:2.3:o:hpe:nimbleos:*:*:*:*:*:*:*:*
Matching versions
When used together with: HPE » Nimble Storage Af20 All Flash Array » Version: N/A
When used together with: HPE » Nimble Storage Af20q All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af40 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af60 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af80 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Cs3000 » Version: N/A
When used together with: HPE » Nimble Storage Cs5000 » Version: N/A
When used together with: HPE » Nimble Storage Cs7000 » Version: N/A
When used together with: HPE » Nimble Storage Secondary Flash Arrays » Version: N/A
HPE » Nimbleos
Versions from including (>=) 5.0.1.0 and up to, including, (<=) 5.0.9.0
cpe:2.3:o:hpe:nimbleos:*:*:*:*:*:*:*:*
Matching versions
When used together with: HPE » Nimble Storage Af20 All Flash Array » Version: N/A
When used together with: HPE » Nimble Storage Af20q All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af40 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af60 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Af80 All Flash Dual Controller » Version: N/A
When used together with: HPE » Nimble Storage Cs3000 » Version: N/A
When used together with: HPE » Nimble Storage Cs5000 » Version: N/A
When used together with: HPE » Nimble Storage Cs7000 » Version: N/A
When used together with: HPE » Nimble Storage Secondary Flash Arrays » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2020-7138

EPSS FAQ

1.97%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 82 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-7138

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2020-7138

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03992en_us

HPESBST03992 rev.1 - HPE Nimble Storage, Remote Code Execution
Vendor Advisory

Jump to

Vulnerability Details : CVE-2020-7138

Products affected by CVE-2020-7138

Exploit prediction scoring system (EPSS) score for CVE-2020-7138

CVSS scores for CVE-2020-7138

References for CVE-2020-7138