hitachi-sec-2021-604 : Hitachi Content Platform Information Disclosure Vulnerability
Last Update: September 20, 2022
1. Overview
Vulnerabilitiy has been found in Hitachi Vantara - Hitachi Content Platform.
CVE-2021-28052: Hitachi Content Platform Information Disclosure Vulnerability
A tenant administrator Hitachi Content Platform (HCP) may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user (non-administrator) may view configuration in another tenant without authorization. In both cases, the unauthorized user must know the Namespace UUID of the targeted namespace.
CVSS:2.0 AV:N/AC:H/Au:S/C:C/I:C/A:C [7.1]
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5]
CWE-264: Permissions, Privileges, and Access Controls
2. Affected Systems
- Hitachi Vantara - Hitachi Content Platform prior to 8.3.7 and 9.2.3
{ "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_content_platform:8.3.7" }}}
{ "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_content_platform:9.2.3" }}}
3. Impact
Information Disclosure
4. Solution
Users and administrators are encouraged to upgrade to fixed version.
HCP Multitenancy Vulnerability
https://knowledge.hitachivantara.com/Security/HCP_Multitenancy_Vulnerability
Alert - HCP A2021040101
https://support.hitachivantara.com/en/user/tech-tips/2021april/A2021040101.html
Content Platform - Hitachi Vantara Knowledge
https://www.hitachivantara.com/en-us/products/storage/object-storage/content-platform-anywhere.html
5. References
CVE-2021-28052
https://www.cve.org/CVERecord?id=CVE-2021-28052
6. Update history
September 20, 2022
- This webpage was newly created and published.
Masato Terada (HIRT), Naoko Ohnishi (HIRT) and Brian Williams (Hitachi Vantara)
