CVE-2019-18581

Name of the Vulnerable Software and Affected Versions: Dell EMC Data Protection Advisor versions 6.3 through 6.5 Dell EMC Data Protection Advisor version 18.2 prior to patch 83 Dell EMC Data Protection Advisor version 19.1 prior to patch 71

Description: The issue concerns a server missing authorization vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to alter the application’s allowable list of OS commands, leading to arbitrary OS command execution as the regular user runs the DPA service on the affected system.

Recommendations: For versions 6.3 through 6.5, apply the necessary patches or updates to fix the missing authorization vulnerability in the REST API. For version 18.2, apply patch 83 or later to resolve the issue. For version 19.1, apply patch 71 or later to resolve the issue. As a temporary workaround, consider restricting access to the REST API until a patch is applied.