CVE-2022-28620

A remote authentication bypass vulnerability was discovered in HPE Cray Legacy Shasta System Solutions; HPE Slingshot; and HPE Cray EX supercomputers versions: Prior to node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27; All Slingshot versions prior to 1.7.2; All versions of node controller firmware associated with HPE Cray EX liquid cooled blades, and all versions of chassis controller firmware associated with HPE Cray EX liquid cooled cabinets prior to 1.6.27/1.5.33/1.4.27. HPE has provided a software update to resolve this vulnerability in HPE Cray Legacy Shasta System Solutions, HPE Slingshot, and HPE Cray EX Supercomputers.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbcr04284en_us	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:hpe:slingshot_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:hpe:slingshot:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

OR	cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.4.27:::::::*
	cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.5.33:::::::*
	cpe:2.3:o:hpe:cray_ex_supercomputers_firmware:1.6.27:::::::*

cpe:2.3:h:hpe:cray_ex_supercomputers:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

OR	cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.4.27:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.5.33:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_air_cooled_base_system_code_firmware:1.6.27:::::::*

cpe:2.3:h:hpe:cray_sh_supercomputer_air_cooled_base_system_code:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

OR	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.4.27:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.5.33:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code_firmware:1.6.27:::::::*

cpe:2.3:h:hpe:cray_sh_supercomputer_liquid_cooled_base_system_code:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

OR	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.4.27:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.5.33:::::::*
	cpe:2.3:o:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware:1.6.27:::::::*

cpe:2.3:h:hpe:cray_sh_supercomputer_liquid_cooled_tds_base_system_code:-:*:*:*:*:*:*:*

History

08 Aug 2023, 14:21

Type	Values Removed	Values Added
CWE	~~CWE-287~~	NVD-CWE-noinfo

Information

Published : 2022-06-24 15:15

Updated : 2024-02-28 19:09

NVD link : CVE-2022-28620

Mitre link : CVE-2022-28620

CVE.ORG link : CVE-2022-28620

JSON object : View

Products Affected

hpe

slingshot
slingshot_firmware
cray_sh_supercomputer_liquid_cooled_base_system_code
cray_sh_supercomputer_liquid_cooled_base_system_code_firmware
cray_sh_supercomputer_air_cooled_base_system_code_firmware
cray_ex_supercomputers_firmware
cray_sh_supercomputer_liquid_cooled_tds_base_system_code
cray_ex_supercomputers
cray_sh_supercomputer_air_cooled_base_system_code
cray_sh_supercomputer_liquid_cooled_tds_base_system_code_firmware

CWE

NVD-CWE-noinfo

9.8 /10