Vulnerability Description
StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user accounts to access S3 data to which they previously had access. StorageGRID 11.6.0 obtains the user account status from Active Directory or Azure and will block S3 access for disabled user accounts during the subsequent background synchronization. User accounts that are expired or locked for Active Directory or Azure, or user accounts that are disabled, expired, or locked in identity sources other than Active Directory or Azure must be manually removed from group memberships or have their S3 keys manually removed from Tenant Manager in all versions of StorageGRID (formerly StorageGRID Webscale).
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Netapp | Storagegrid | < 11.6.0 |
References
- https://security.netapp.com/advisory/NTAP-20220303-0009/Vendor Advisory
- https://security.netapp.com/advisory/NTAP-20220303-0009/Vendor Advisory
FAQ
What is CVE-2022-23232?
CVE-2022-23232 is a vulnerability with a CVSS score of 4.9 (MEDIUM). StorageGRID (formerly StorageGRID Webscale) versions prior to 11.6.0 are susceptible to a vulnerability which when successfully exploited could allow disabled, expired, or locked external user account...
How severe is CVE-2022-23232?
CVE-2022-23232 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-23232?
Check the references section above for vendor advisories and patch information. Affected products include: Netapp Storagegrid.