PT-2022-12338 · Starwind · Starwind Command Center+1
Published
2022-01-04
·
Updated
2022-09-01
·
CVE-2021-45389
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
StarWind SAN and NAS build 1578
StarWind Command Center build 6864
Description
A flaw was found with the JWT token, allowing a self-signed JWT token to be injected into the update manager and bypass the authentication process, thus escalating privileges. This issue affects the authentication process, where an attacker could use a self-signed JWT token to bypass authentication.
Recommendations
For StarWind SAN and NAS build 1578, consider disabling the update manager until a patch is available to prevent exploitation.
For StarWind Command Center build 6864, restrict access to the update manager to minimize the risk of exploitation.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Starwind Command Center
Starwind San/Nas