SnapCenter versions prior to 6.0.1P1 and 6.1P1 are susceptible to a vulnerability which may allow an authenticated SnapCenter Server user to become an admin user on a remote system where a SnapCenter plug-in has been installed.
The vulnerability is related to improper handling of permissions (CWE-266), which allows an authenticated SnapCenter Server user to obtain unauthorized administrative privileges on remote hosts managed by SnapCenter plugins. The attacker does not need interaction from another user or particularly high initial privileges — simply having a regular account on SnapCenter Server is sufficient. The attack scope extends beyond the source component (S:C), meaning it is possible to impact systems external to the SnapCenter server itself.
An attacker can gain full administrative control over remote systems where SnapCenter plugins are installed, leading to complete compromise of confidentiality, integrity, and availability of these systems.
NetApp SnapCenter should be updated to version 6.0.1P1 or 6.1P1 (depending on the branch in use). Detailed instructions are available in the official NetApp security bulletin at https://security.netapp.com/advisory/NTAP-20250324-0001.
NetApp SnapCenter in versions prior to 6.0.1P1 and 6.1P1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HNetapp Snapcenter
APPNetapp6.0.16.1< 6.0.1
Related vulnerabilities
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features u...
SnapCenter versions 4.7 prior to 4.7P2 and 4.8 prior to 4.8P1 are susceptible to a vulnerability which could a...
Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically evaluated ...
The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AV...
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt()....