CVE-2023-5808 : SMU versions prior to 14.8.7825.01 are susceptible to unintended information dis

SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in a Storage administrative role are able to access HNAS configuration backup and diagnostic data, that would normally be barred to that specific administrative role.

Published 2023-12-05 00:15:10

Updated 2023-12-12 17:15:08

Source Hitachi Vantara

View at NVD, CVE.org

Vulnerability category: BypassGain privilegeInformation leak

Products affected by CVE-2023-5808

Hitachi » Vantara Hitachi Network Attached Storage
Versions up to, including, (<=) 14.8.7825.01
cpe:2.3:a:hitachi:vantara_hitachi_network_attached_storage:*:*:*:*:*:*:*:*
Matching versions
When used together with: Microsoft » Windows » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-5808

EPSS FAQ

0.50%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 64 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-5808

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	Hitachi Vantara
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L	2.8	4.7	Hitachi Vantara
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: Low Availability: Low
6.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L	2.8	3.4	Hitachi Vantara
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: Low Availability: Low

CWE ids for CVE-2023-5808

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: security.vulnerabilities@hitachivantara.com (Secondary)
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-5808

https://knowledge.hitachivantara.com/Security/System_Management_Unit_(SMU)_versions_prior_to_14.8.7825.01%2C_used_to_manage_Hitachi_Vantara_NAS_products_are_susceptible_to_unintended_information_disclosure_via_unprivileged_access_to_HNAS_configuration_backup_and_diagnostic_data.

System Management Unit (SMU) versions prior to 14.8.7825.01, used to manage Hitachi Vantara NAS products are susceptible to unintended information disclosure via unprivileged access to HNAS configurat
https://support.hitachivantara.com/

Hitachi Vantara Support
Not Applicable
https://knowledge.hitachivantara.com/Security/System_Management_Unit_(SMU)_versions_prior_to_14.8.7825.01%2C_used_to_manage_Hitachi_Vantara_NAS_products_are_susceptible_to_unintended_information_disclosure_via_unprivileged_access_to_HNAS_configuration_backup_and_diagnostic_data

Page not found - Hitachi Vantara Knowledge

Jump to

Vulnerability Details : CVE-2023-5808

Products affected by CVE-2023-5808

Exploit prediction scoring system (EPSS) score for CVE-2023-5808

CVSS scores for CVE-2023-5808

CWE ids for CVE-2023-5808

References for CVE-2023-5808