CVE-2024-42422

Vulnerability

Dell NetWorker Client contains an Authorization Bypass Through User-Controlled Key vulnerability (CWE-639). Affected versions are those prior to 19.10.0.6 and versions 19.11 through 19.11.0.2. The flaw resides in the client component and allows an attacker to manipulate a key used for authorization checks, thereby bypassing access controls [1].

Exploitation

An unauthenticated attacker with remote network access can exploit this vulnerability by sending specially crafted requests that control the authorization key. No authentication or user interaction is required. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L indicates low attack complexity and no privileges needed [1].

Impact

Successful exploitation results in information disclosure (low confidentiality impact), as well as low integrity and availability impacts. The attacker can gain unauthorized read access to sensitive data and potentially perform limited modifications or cause service disruption [1].

Mitigation

Dell has released fixed versions: 19.10.0.6 and 19.11.0.3 or later. Users should upgrade to these versions. No workarounds are provided in the advisory [1].