CVE-2022-32552

Name of the Vulnerable Software and Affected Versions Pure Storage FlashArray versions 5.2.x and prior Pure Storage FlashArray versions 5.3.0 through 5.3.17 Pure Storage FlashArray versions 6.0.0 through 6.0.8 Pure Storage FlashArray versions 6.1.0 through 6.1.12 Pure Storage FlashArray versions 6.2.0 through 6.2.3 Pure Storage FlashBlade versions 3.0.x and prior Pure Storage FlashBlade versions 3.1.0 through 3.1.12 Pure Storage FlashBlade versions 3.2.0 through 3.2.4 Pure Storage FlashBlade version 3.3.0

Description The issue allows for privilege escalation via the manipulation of Python environment variables. This can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges.

Recommendations For Pure Storage FlashArray versions 5.2.x and prior, upgrade to an unaffected version of Purity software. For Pure Storage FlashArray versions 5.3.0 through 5.3.17, upgrade to an unaffected version of Purity software. For Pure Storage FlashArray versions 6.0.0 through 6.0.8, upgrade to an unaffected version of Purity software. For Pure Storage FlashArray versions 6.1.0 through 6.1.12, upgrade to an unaffected version of Purity software. For Pure Storage FlashArray versions 6.2.0 through 6.2.3, upgrade to an unaffected version of Purity software. For Pure Storage FlashBlade versions 3.0.x and prior, upgrade to an unaffected version of Purity software. For Pure Storage FlashBlade versions 3.1.0 through 3.1.12, upgrade to an unaffected version of Purity software. For Pure Storage FlashBlade versions 3.2.0 through 3.2.4, upgrade to an unaffected version of Purity software. For Pure Storage FlashBlade version 3.3.0, upgrade to an unaffected version of Purity software. As a temporary workaround, consider restricting the manipulation of Python environment variables to minimize the risk of exploitation.