CVE-2023-6538 HIGH

CVE-2023-6538: System Management Unit (SMU) versions prior to 14.8.7825.01, used to manage Hitachi Vantara NAS products is susceptible to unintended information disclosure via unprivileged access to SMU configuration backup data.

Vendor Hitachi Vantara
Product System Management Unit (SMU)
Weakness CWE-285
Published December 11, 2023
Last update August 2, 2024
View on NVD All CVEs

CVSS base score

7.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

What the vulnerability does

01Description

SMU versions prior to 14.8.7825.01 are susceptible to unintended information disclosure, through URL manipulation. Authenticated users in Storage, Server or combined Server+Storage administrative roles are able to access SMU configuration backup, that would normally be barred to those specific administrative roles.

Key dates

02Disclosure timeline

December 11, 2023 CVE published
August 2, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-2693 CoCoTeaNet CyreneAdmin System Info Endpoint getCount improper authorization CVE-2022-40521 Improper authorization in Modem CVE-2026-30959 OneUptime has WhatsApp Resend Verification Authorization Bypass CVE-2021-21432 Reject unauthorized access with GitHub PATs CVE-2021-28506 An issue has recently been discovered in Arista EOS where certain gNOI APIs incorrectly skip authorization and authentication which could potentially allow a factory reset of the device.