Web authentication and authorization bypass

Vulnerability

A web authentication and authorization bypass vulnerability exists in the Brocade SANnav Web interface. Versions before Brocade SANnav v2.3.0 and v2.2.2a are affected. The flaw allows remote unauthenticated users to bypass the authentication and authorization checks that normally protect the web GUI, gaining unintended access to administrative functions [1].

Exploitation

An attacker with network access to the Brocade SANnav web interface can exploit this vulnerability without any prior authentication. No user interaction or special privileges are required. The attacker simply sends crafted requests to the web server that circumvent the normal login and authorization enforcement [1].

Impact

Successful exploitation grants the attacker full administrative control over the Brocade SANnav appliance. This can lead to complete compromise of confidentiality (access to sensitive data), integrity (modification of configurations or data), and availability (potential disruption of services). The CVSS v3.1 base score is 8.1 (High) with the vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [1].

Mitigation

Broadcom has released fixed versions: Brocade SANnav v2.3.0 and v2.2.2a. Users should upgrade to one of these versions to remediate the vulnerability. No workaround is provided in the advisory [1].