CVE-2023-44306

Vulnerability

CVE-2023-44306 is a path traversal vulnerability in the Dell PowerProtect Data Manager DM5500 Appliance. The flaw exists in the appliance's file handling logic, allowing an attacker to traverse directories and overwrite configuration files stored on the server filesystem. Affected versions are DM5500 5.14 and below [1].

Exploitation

Exploitation requires a remote attacker with high privileges (e.g., administrative access) to the appliance. The attacker can craft requests that traverse directories and overwrite arbitrary configuration files. No user interaction is needed beyond the attacker's authenticated session [1].

Impact

Successful exploitation allows the attacker to overwrite configuration files, potentially altering appliance behavior, causing denial of service, or enabling further attacks. The impact is limited to configuration file modification; however, this could lead to a full compromise of the appliance's integrity [1].

Mitigation

Dell has released version DM5500 5.15 to remediate this vulnerability. Users should upgrade to DM5500 5.15 or later. No workarounds are mentioned in the advisory. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].