Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000225910

DSA-2024-181: Security Update for Dell Secure Connect Gateway-Application and Appliance Multiple Vulnerabilities.

Summary: Dell Secure Connect Gateway (SCG) Application and Appliance remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system. ...

Article Content

Impact

Medium

Details

Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-28965 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal enable REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain Internal APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-28966 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-28967 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal maintenance REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-28968 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for internal email and collection settings REST APIs (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-28969 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources. 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-29168
   
 		 Dell SCG, versions prior to 5.22.00.00, contain a SQL Injection Vulnerability in the SCG UI for an internal assets REST API. A remote authenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing potential unauthorized access and modification of application data. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-29169 Dell SCG, versions prior to 5.22.00.00, contain a SQL Injection Vulnerability in the SCG UI for an internal audit REST API. A remote authenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing potential unauthorized access and modification of application data. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
Proprietary Code CVEs Description CVSS Base Score CVSS Vector String
CVE-2024-28965 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal enable REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain Internal APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-28966 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-28967 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal maintenance REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-28968 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for internal email and collection settings REST APIs (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources and change of state. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-28969 Dell SCG, versions prior to 5.24.00.00, contain an Improper Access Control vulnerability in the SCG exposed for an internal update REST API (if enabled by Admin user from UI). A remote low privileged attacker could potentially exploit this vulnerability, leading to the execution of certain APIs applicable only for Admin Users on the application's backend database that could potentially allow an unauthorized user access to restricted resources. 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-29168
   
 		 Dell SCG, versions prior to 5.22.00.00, contain a SQL Injection Vulnerability in the SCG UI for an internal assets REST API. A remote authenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing potential unauthorized access and modification of application data. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
CVE-2024-29169 Dell SCG, versions prior to 5.22.00.00, contain a SQL Injection Vulnerability in the SCG UI for an internal audit REST API. A remote authenticated attacker could potentially exploit this vulnerability, leading to the execution of certain SQL commands on the application's backend database causing potential unauthorized access and modification of application data. 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
This hyperlink is taking you to a website outside of Dell Technologies.
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-28965, CVE-2024-28966, CVE-2024-28967, CVE-2024-28968, CVE-2024-28969, CVE-2024-29168, CVE-2024-29169 Secure Connect Gateway-Application Versions 5.18.00.20 through 5.22.00.18
 		 Version 5.24.00.14 or later Secure Connect Gateway | Application

 
CVE-2024-28965, CVE-2024-28966, CVE-2024-28967, CVE-2024-28968, CVE-2024-28969, CVE-2024-29168, CVE-2024-29169 Secure Connect Gateway-Appliance Versions 5.18.00.20 through 5.22.00.18
 		 Version 5.24.00.14 or later Secure Connect Gateway | Appliance
 
CVEs Addressed Product Affected Versions Remediated Versions Link
CVE-2024-28965, CVE-2024-28966, CVE-2024-28967, CVE-2024-28968, CVE-2024-28969, CVE-2024-29168, CVE-2024-29169 Secure Connect Gateway-Application Versions 5.18.00.20 through 5.22.00.18
 		 Version 5.24.00.14 or later Secure Connect Gateway | Application

 
CVE-2024-28965, CVE-2024-28966, CVE-2024-28967, CVE-2024-28968, CVE-2024-28969, CVE-2024-29168, CVE-2024-29169 Secure Connect Gateway-Appliance Versions 5.18.00.20 through 5.22.00.18
 		 Version 5.24.00.14 or later Secure Connect Gateway | Appliance
 
Dell recommends keeping the Secure Connect Gateway Application and Secure Connect Gateway Appliance updated to the latest version.

Workarounds and Mitigations

None

Acknowledgements

Dell would like to thank saltedfish for reporting CVE-2024-29168 and CVE-2024-29169.

Revision History

RevisionDateDescription
1.02024-06-10Initial Release
2.02024-06-11Updated revision number for the affected versions
3.02024-06-12Updated title

 

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Information

Article Properties

Last Published Date

12 Jun 2024

Article Type

Dell Security Advisory

Back to Top