CVE-2025-21120 (GCVE-0-2025-21120)
Vulnerability from cvelistv5
Published
2025-08-04 18:33
Modified
2025-08-07 03:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-650 - Trusting HTTP Permission Methods on the Server Side
Summary
Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ► | Dell | Avamar Data Store Gen4T |
Version: 19.12 ≤ |
||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-21120",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-06T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-07T03:55:25.917Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Avamar Data Store Gen4T",
"vendor": "Dell",
"versions": [
{
"lessThan": "Version 19.12 with patch 338905 or later",
"status": "affected",
"version": "19.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Avamar Data Store Gen4T",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.10SP1 with patch 338904 or later",
"status": "affected",
"version": "19.10, 19.10-SP1, 19.7, 19.8, 19.9 and 19.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Avamar Data Store Gen5A",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.12 with patch 338905 or later",
"status": "affected",
"version": "19.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Avamar Data Store Gen5A",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.10SP1 with patch 338904 or later",
"status": "affected",
"version": "19.10, 19.10-SP1, 19.7, 19.8, 19.9 and 19.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Avamar Virtual Edition for VMware ESXi and vSphere",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.12 with patch 338905 or later",
"status": "affected",
"version": "19.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Avamar Virtual Edition for VMware ESXi and vSphere",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.10SP1 with patch 338904 or later",
"status": "affected",
"version": "19.10, 19.10-SP1, 19.7, 19.8, 19.9 and 19.4",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Avamar Virtual Edition for VMware vSphere only",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.12 with patch 338905 or later",
"status": "affected",
"version": "19.12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Avamar Virtual Edition for VMware vSphere only",
"vendor": "Dell",
"versions": [
{
"lessThan": "19.10SP1 with patch 338904 or later",
"status": "affected",
"version": "19.10, 19.10-SP1, 19.7, 19.8, 19.9 and 19.4",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-07-21T17:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure."
}
],
"value": "Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-650",
"description": "CWE-650: Trusting HTTP Permission Methods on the Server Side",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-04T18:33:07.220Z",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dell.com/support/kbdoc/en-us/000347698/dsa-2025-271-security-update-for-dell-avamar-and-dell-avamar-virtual-edition-multiple-vulnerabilities"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2025-21120",
"datePublished": "2025-08-04T18:33:07.220Z",
"dateReserved": "2024-11-23T06:04:00.843Z",
"dateUpdated": "2025-08-07T03:55:25.917Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-21120\",\"sourceIdentifier\":\"security_alert@emc.com\",\"published\":\"2025-08-04T19:15:30.210\",\"lastModified\":\"2025-08-05T14:34:17.327\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.\"},{\"lang\":\"es\",\"value\":\"Dell Avamar, versiones anteriores a la 19.12 con el parche 338905, excepto la versi\u00f3n 19.10SP1 con el parche 338904, contiene una vulnerabilidad de seguridad relacionada con los m\u00e9todos de permisos HTTP de confianza en el servidor. Un atacante con pocos privilegios y acceso remoto podr\u00eda explotar esta vulnerabilidad, lo que provocar\u00eda la exposici\u00f3n de informaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security_alert@emc.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L\",\"baseScore\":8.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":5.5}]},\"weaknesses\":[{\"source\":\"security_alert@emc.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-650\"}]}],\"references\":[{\"url\":\"https://www.dell.com/support/kbdoc/en-us/000347698/dsa-2025-271-security-update-for-dell-avamar-and-dell-avamar-virtual-edition-multiple-vulnerabilities\",\"source\":\"security_alert@emc.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-21120\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-04T19:16:51.990675Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-04T19:16:53.698Z\"}}], \"cna\": {\"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Dell\", \"product\": \"Avamar Data Store Gen4T\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.12\", \"lessThan\": \"Version 19.12 with patch 338905 or later\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Dell\", \"product\": \"Avamar Data Store Gen4T\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.10, 19.10-SP1, 19.7, 19.8, 19.9 and 19.4\", \"lessThan\": \"19.10SP1 with patch 338904 or later\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Dell\", \"product\": \"Avamar Data Store Gen5A\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.12\", \"lessThan\": \"19.12 with patch 338905 or later\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Dell\", \"product\": \"Avamar Data Store Gen5A\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.10, 19.10-SP1, 19.7, 19.8, 19.9 and 19.4\", \"lessThan\": \"19.10SP1 with patch 338904 or later\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Dell\", \"product\": \"Avamar Virtual Edition for VMware ESXi and vSphere\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.12\", \"lessThan\": \"19.12 with patch 338905 or later\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Dell\", \"product\": \"Avamar Virtual Edition for VMware ESXi and vSphere\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.10, 19.10-SP1, 19.7, 19.8, 19.9 and 19.4\", \"lessThan\": \"19.10SP1 with patch 338904 or later\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Dell\", \"product\": \"Avamar Virtual Edition for VMware vSphere only\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.12\", \"lessThan\": \"19.12 with patch 338905 or later\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"Dell\", \"product\": \"Avamar Virtual Edition for VMware vSphere only\", \"versions\": [{\"status\": \"affected\", \"version\": \"19.10, 19.10-SP1, 19.7, 19.8, 19.9 and 19.4\", \"lessThan\": \"19.10SP1 with patch 338904 or later\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2025-07-21T17:00:00.000Z\", \"references\": [{\"url\": \"https://www.dell.com/support/kbdoc/en-us/000347698/dsa-2025-271-security-update-for-dell-avamar-and-dell-avamar-virtual-edition-multiple-vulnerabilities\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-650\", \"description\": \"CWE-650: Trusting HTTP Permission Methods on the Server Side\"}]}], \"providerMetadata\": {\"orgId\": \"c550e75a-17ff-4988-97f0-544cde3820fe\", \"shortName\": \"dell\", \"dateUpdated\": \"2025-08-04T18:33:07.220Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-21120\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-07T03:55:25.917Z\", \"dateReserved\": \"2024-11-23T06:04:00.843Z\", \"assignerOrgId\": \"c550e75a-17ff-4988-97f0-544cde3820fe\", \"datePublished\": \"2025-08-04T18:33:07.220Z\", \"assignerShortName\": \"dell\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…