QID 375584

Date Published: 2021-05-26

QID 375584: Dell NetWorker Security Update for Multiple Vulnerabilities (DSA-2020-262)

Dell NetWorker is a suite of enterprise level data protection software that unifies and automates backup to tape, disk-based, and flash-based storage media across physical and virtual environments for granular and disaster recovery.

Multiple vulnerabilities in NetWorker Third-party components:
CVE-2020-13692: XXE vulnerability lies in third-party component PostgreSQL.
CVE-2020-11022: Untrusted Code Execution in third-party component jquery.

Affected NetWorker Versions:
Prior to Networker version 19.2.1.4
Networker versions from 19.2.1.5 prior to 19.3.0.4
NetWorker versions from 19.3.0.5 prior to 19.4
QID Detection Logic (Authenticated):
This QID check Windows registry to see if vulnerable version of Dell NetWorker is installed.

Successful exploitation of these vulnerabilities may allow an attacker to inject malicious XMLs using vulnerable third-party components which results to stealing of sensitive information from the target system.

  • CVSS V3 rated as High - 7.7 severity.
  • CVSS V2 rated as High - 6.8 severity.
    • Solution
    The vendor has released patches to resolve this issue and can be downloaded from Dell NetWorker Download Center.
    Refer to Dell Security Advisory DSA-2020-262 to obtain additional details about the vulnerability.
    Vendor References

    CVEs related to QID 375584

    CVE-2020-13692 | CVE-2020-11022 |
    Software Advisories
    Advisory ID Software Component Link
    DSA-2020-262 URL Logo www.dell.com/support/kbdoc/en-in/000180924/dsa-2020-262-dell-emc-networker-security-update-for-multiple-vulnerabilities
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].