CVE-2022-23241 - Vulnerability Details - OpenCVE

Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Netapp	Clustered Data Ontap

Configuration 1 [-]

OR	cpe:2.3:o:netapp:clustered_data_ontap:9.11.1:-::::::
	cpe:2.3:o:netapp:clustered_data_ontap:9.11.1:p2::::::
	cpe:2.3:o:netapp:clustered_data_ontap:9.11.1:rc1::::::

No data.

References

Link	Providers
https://security.netapp.com/advisory/ntap-20221017-0001/

History

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00175}`	epss `{'score': 0.00219}`

Fri, 09 May 2025 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: netapp

Published: 2022-10-19T00:00:00.000Z

Updated: 2025-05-09T14:54:11.754Z

Reserved: 2022-01-14T00:00:00.000Z

Link: CVE-2022-23241

Vulnrichment

Updated: 2024-08-03T03:36:20.347Z

NVD

Status : Modified

Published: 2022-10-19T18:15:12.780

Modified: 2025-05-09T15:15:50.230

Link: CVE-2022-23241

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-23241", "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "assignerShortName": "netapp", "dateUpdated": "2025-05-09T14:54:11.754Z", "dateReserved": "2022-01-14T00:00:00.000Z", "datePublished": "2022-10-19T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "shortName": "netapp", "dateUpdated": "2022-10-19T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period."}], "affected": [{"vendor": "n/a", "product": "Clustered Data ONTAP", "versions": [{"version": "9.11.1 through 9.11.1P2", "status": "affected"}]}], "references": [{"url": "https://security.netapp.com/advisory/ntap-20221017-0001/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Arbitrary Data Modification"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:36:20.347Z"}, "title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20221017-0001/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-05-09T14:53:06.238996Z", "id": "CVE-2022-23241", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T14:54:11.754Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20221017-0001/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:36:20.347Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2022-23241", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-09T14:53:06.238996Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-09T14:54:05.347Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "Clustered Data ONTAP", "versions": [{"status": "affected", "version": "9.11.1 through 9.11.1P2"}]}], "references": [{"url": "https://security.netapp.com/advisory/ntap-20221017-0001/"}], "descriptions": [{"lang": "en", "value": "Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Arbitrary Data Modification"}]}], "providerMetadata": {"orgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "shortName": "netapp", "dateUpdated": "2022-10-19T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2022-23241", "state": "PUBLISHED", "dateUpdated": "2025-05-09T14:54:11.754Z", "dateReserved": "2022-01-14T00:00:00.000Z", "assignerOrgId": "11fdca00-0482-4c88-a206-37f9c182c87d", "datePublished": "2022-10-19T00:00:00.000Z", "assignerShortName": "netapp"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:clustered_data_ontap:9.11.1:-:*:*:*:*:*:*", "matchCriteriaId": "5FA41D1E-1184-448E-A5E4-7F8FDAACC638", "vulnerable": true}, {"criteria": "cpe:2.3:o:netapp:clustered_data_ontap:9.11.1:p2:*:*:*:*:*:*", "matchCriteriaId": "CEFAFD31-9873-4B15-89CB-617FE07A7606", "vulnerable": true}, {"criteria": "cpe:2.3:o:netapp:clustered_data_ontap:9.11.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "6600735C-0A90-4E39-B71B-8F9C73F80BB3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Clustered Data ONTAP versions 9.11.1 through 9.11.1P2 with SnapLock configured FlexGroups are susceptible to a vulnerability which could allow an authenticated remote attacker to arbitrarily modify or delete WORM data prior to the end of the retention period."}, {"lang": "es", "value": "Clustered Data ONTAP versiones 9.11.1 hasta 9.11.1P2, de con FlexGroups configurados con SnapLock son susceptibles de una vulnerabilidad que podr\u00eda permitir a un atacante remoto autenticado modificar o eliminar arbitrariamente los datos WORM antes de que finalice el per\u00edodo de retenci\u00f3n"}], "id": "CVE-2022-23241", "lastModified": "2025-05-09T15:15:50.230", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2022-10-19T18:15:12.780", "references": [{"source": "security-alert@netapp.com", "tags": ["Vendor Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221017-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.netapp.com/advisory/ntap-20221017-0001/"}], "sourceIdentifier": "security-alert@netapp.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}