CVE-2017-12422

NetApp StorageGRID Webscale 10.2.x before 10.2.2.3, 10.3.x before 10.3.0.4, and 10.4.x before 10.4.0.2 allow remote authenticated users to delete arbitrary objects via unspecified vectors.

Weakness

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Affected Software

Name	Vendor	Start Version	End Version
Storagegrid_webscale	Netapp	10.2 (including)	10.2 (including)
Storagegrid_webscale	Netapp	10.2.1 (including)	10.2.1 (including)
Storagegrid_webscale	Netapp	10.2.2 (including)	10.2.2 (including)
Storagegrid_webscale	Netapp	10.2.2.2 (including)	10.2.2.2 (including)
Storagegrid_webscale	Netapp	10.3.0 (including)	10.3.0 (including)
Storagegrid_webscale	Netapp	10.3.0.3 (including)	10.3.0.3 (including)
Storagegrid_webscale	Netapp	10.4.0 (including)	10.4.0 (including)
Storagegrid_webscale	Netapp	10.4.0.1 (including)	10.4.0.1 (including)

Potential Mitigations

https://cwe.mitre.org/data/definitions/122.html
https://cwe.mitre.org/data/definitions/233.html
https://cwe.mitre.org/data/definitions/58.html

References

http://www.securityfocus.com/bid/100535
https://kb.netapp.com/support/s/article/NTAP-20170825-0001
http://www.securityfocus.com/bid/100535
https://kb.netapp.com/support/s/article/NTAP-20170825-0001

NVD	https://nvd.nist.gov/vuln/detail/CVE-2017-12422
CWE	https://cwe.mitre.org/data/definitions/269.html

Improper Privilege Management

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References