Skip to main content

Hitachi
Contact UsContact Us

Hitachi Incident Response Team

hitachi-sec-2021-604 : Hitachi Content Platform Information Disclosure Vulnerability

Last Update: September 20, 2022

1. Overview

Vulnerabilitiy has been found in Hitachi Vantara - Hitachi Content Platform.

CVE-2021-28052: Hitachi Content Platform Information Disclosure Vulnerability
A tenant administrator Hitachi Content Platform (HCP) may modify the configuration in another tenant without authorization, potentially allowing unauthorized access to data in the other tenant. Also, a tenant user (non-administrator) may view configuration in another tenant without authorization. In both cases, the unauthorized user must know the Namespace UUID of the targeted namespace.

CVSS:2.0 AV:N/AC:H/Au:S/C:C/I:C/A:C [7.1]
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H [7.5]
CWE-264: Permissions, Privileges, and Access Controls

2. Affected Systems

  • Hitachi Vantara - Hitachi Content Platform prior to 8.3.7 and 9.2.3
    { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_content_platform:8.3.7" }}}
    { "version": { "and": { "lessThan": "cpe:2.3:a:hitachi:vantara_content_platform:9.2.3" }}}

3. Impact

Information Disclosure

4. Solution

Users and administrators are encouraged to upgrade to fixed version.

6. Update history

September 20, 2022
  • This webpage was newly created and published.

Masato Terada (HIRT), Naoko Ohnishi (HIRT) and Brian Williams (Hitachi Vantara)