CVE-2021-21511

Vulnerability

CVE-2021-21511 is an improper authorization vulnerability in the web UI of Dell EMC Avamar Server, versions 19.3 and 19.4. It also affects Dell EMC Integrated Data Protection Appliance (IDPA) version 2.6 which incorporates Avamar [1]. The flaw exists in the web interface and is reachable by any authenticated user with low privileges.

Exploitation

An attacker with valid but low-privileged credentials to the Avamar web UI can exploit this vulnerability remotely over the network [1]. No special network position or user interaction beyond normal authentication is required. The attacker can send crafted requests to the vulnerable endpoint to bypass authorization checks and access resources belonging to other users.

Impact

Successful exploitation allows the attacker to read or modify other users' backup data [1]. This leads to high confidentiality and integrity impact, but no availability impact per the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) [1]. The compromise is limited to the data of other users on the same server, without privilege escalation to administrative functions.

Mitigation

Dell has released hotfixes for the affected products: for Avamar 19.3 use hotfix 327927, for Avamar 19.4 use hotfix 329256, and for IDPA 2.6 use hotfix 327927 [1]. The fixes are installed using the Avamar Installer (AVI) process per Dell KB article 69982 [1]. No workarounds are documented; applying the hotfix is the recommended remediation.