CVE-2024-21985

Name of the Vulnerable Software and Affected Versions ONTAP 9 versions prior to 9.9.1P18 ONTAP 9 versions prior to 9.10.1P16 ONTAP 9 versions prior to 9.11.1P13 ONTAP 9 versions prior to 9.12.1P10 ONTAP 9 versions prior to 9.13.1P4

Description The issue allows an authenticated user with multiple remote accounts and differing roles to perform actions via the REST API beyond their intended privilege. Possible actions include viewing limited configuration details and metrics or modifying limited settings, some of which could result in a Denial of Service (DoS).

Recommendations For versions prior to 9.9.1P18, update to version 9.9.1P18 or later. For versions prior to 9.10.1P16, update to version 9.10.1P16 or later. For versions prior to 9.11.1P13, update to version 9.11.1P13 or later. For versions prior to 9.12.1P10, update to version 9.12.1P10 or later. For versions prior to 9.13.1P4, update to version 9.13.1P4 or later. As a temporary workaround, consider restricting access to the REST API until a patch is applied.