CVE-2023-5808

Name of the Vulnerable Software and Affected Versions Hitachi Vantara HNAS versions prior to 14.8.7825.01

Description The issue allows authenticated users to access sensitive information through Insecure Direct Object Reference (IDOR). This can be achieved by manipulating URLs, enabling users in certain administrative roles to download confidential files, including HNAS configuration backup and diagnostic data, that would normally be restricted from their role. The vulnerability is related to authorization procedure weaknesses, potentially allowing remote attackers to gain unauthorized access to protected information.

Recommendations For versions prior to 14.8.7825.01, consider restricting access to sensitive files and diagnostic data until a patch is available. As a temporary workaround, limit URL manipulation capabilities for authenticated users in Storage, Server, or combined Server+Storage administrative roles to minimize the risk of exploitation. Avoid using URL manipulation to access HNAS configuration backup and diagnostic data in affected versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.