CVE-2019-11996
First published: Thu Nov 07 2019(Updated: )
Potential security vulnerabilities have been identified with HPE Nimble Storage systems in multi array group configurations. The vulnerabilities could be exploited by an attacker to gain elevated privileges on the array. The following NimbleOS versions, and all subsequent releases, contain a software fix for this vulnerability: 3.9.2.0, 4.5.5.0, 5.0.8.0 and 5.1.3.0.
Credit: security-alert@hpe.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Hpe Nimbleos | >=3.1.0.0<=3.9.1.0 | |
| Hpe Nimbleos | >=4.1.0.0<=4.5.4.0 | |
| Hpe Nimbleos | >=5.0.1.0<=5.0.7.0 | |
| Hpe Nimbleos | >=5.1.0.0<=5.1.2.0 | |
| Hpe Nimble Storage Af20 All Flash Array | ||
| Hpe Nimble Storage Af20q All Flash Dual Controller | ||
| Hpe Nimble Storage Af40 All Flash Dual Controller | ||
| Hpe Nimble Storage Af60 All Flash Dual Controller | ||
| Hpe Nimble Storage Af80 All Flash Dual Controller | ||
| Hpe Nimble Storage Cs3000 | ||
| Hpe Nimble Storage Cs5000 | ||
| Hpe Nimble Storage Cs7000 | ||
| HPE Nimble Storage Secondary Flash Arrays |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of the HPE Nimble Storage vulnerability?
The vulnerability ID of the HPE Nimble Storage vulnerability is CVE-2019-11996.
What is the severity of CVE-2019-11996?
The severity of CVE-2019-11996 is critical, with a score of 9.8 out of 10.
Which HPE Nimble Storage systems are affected by CVE-2019-11996?
HPE Nimble Storage systems running NimbleOS versions 3.1.0.0 to 3.9.1.0, 4.1.0.0 to 4.5.4.0, 5.0.1.0 to 5.0.7.0, and 5.1.0.0 to 5.1.2.0 are affected by CVE-2019-11996.
What can an attacker do with CVE-2019-11996?
An attacker exploiting CVE-2019-11996 can gain elevated privileges on the HPE Nimble Storage array.
How can I fix the CVE-2019-11996 vulnerability?
To fix the CVE-2019-11996 vulnerability, upgrade to a version of NimbleOS that is not affected by the vulnerability as mentioned in the HPE advisory.
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- agent/tags
- agent/type
- agent/description
- agent/event
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/hpe
- canonical/hpe nimbleos
- version/hpe nimbleos/3.1.0.0
- version/hpe nimbleos/3.9.1.0
- version/hpe nimbleos/4.1.0.0
- version/hpe nimbleos/4.5.4.0
- version/hpe nimbleos/5.0.1.0
- version/hpe nimbleos/5.0.7.0
- version/hpe nimbleos/5.1.0.0
- version/hpe nimbleos/5.1.2.0
- canonical/hpe nimble storage af20 all flash array
- canonical/hpe nimble storage af20q all flash dual controller
- canonical/hpe nimble storage af40 all flash dual controller
- canonical/hpe nimble storage af60 all flash dual controller
- canonical/hpe nimble storage af80 all flash dual controller
- canonical/hpe nimble storage cs3000
- canonical/hpe nimble storage cs5000
- canonical/hpe nimble storage cs7000
- canonical/hpe nimble storage secondary flash arrays