CRITICAL🇵🇱 Wersja polska

CVE-2024-0001

CVSS 10.0v3.1pub. 2024-09-23upd. 2024-09-27

A condition exists in FlashArray Purity whereby a local account intended for initial array configuration remains active potentially allowing a malicious actor to gain elevated privileges.

🤖 AI Analysis
How it works

A local account, designed solely for the purposes of initial array configuration, is not deactivated after completion of this process. It remains active in the system, constituting an unintended access vector. An attacker who gains access to this account can exploit it to perform privilege escalation in the system.

Impact

An attacker can obtain elevated privileges in the FlashArray Purity system, which may lead to complete takeover of the storage array, and consequently to breach of confidentiality, integrity, and availability of stored data.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references (https://purestorage.com/security). It is also recommended to verify the status of local accounts on FlashArray systems and deactivate unused configuration accounts.

Who is affected

Pure Storage Purity//FA (FlashArray) products — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Purestorage Purity\/\/fa

    APP
    Purestorage
    6.3.0 – 6.3.146.4.0 – 6.4.10
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-0002CRITICAL10.0PL ✓ten sam produkt

Obejście uwierzytelnienia w Pure Storage FlashArray Purity (CVSS 10.0)

CVE-2024-0005CRITICAL9.1PL ✓ten sam produkt

Command injection w Pure Storage Purity poprzez konfigurację SNMP

CVE-2024-0004CRITICAL9.1PL ✓ten sam produkt

Zdalne wykonanie kodu z eskalacją uprawnień w Pure Storage FlashArray Purity

CVE-2024-0003CRITICAL9.1PL ✓ten sam produkt

Pure Storage FlashArray Purity — nieautoryzowane tworzenie konta z uprawnieniami

CVE-2022-32554CRITICAL9.8ten sam produkt

Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3....