Skip to main content
Pure Technical Services

Security Bulletin for Privilege Escalation in VASA CVE-2023-36628

Currently viewing public documentation. Please login to access the full scope of documentation.


A flaw exists in VASA which allows users with access to a vSphere/ESXi VMware admin on a FlashArray to gain root access through privilege escalation.  

Pure Storage has reserved CVE-2023-36628 in response to this issue.  

Base CVSS 3.1 Score Severity Vector
8.8 High  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Corrective ActionEdit section

  • This issue is present in FlashArray Purity (OE) versions 6.1.x, 6.2.x, 6.3.0 - 6.3.11, 6.4.0 - 6.4.5.

  • This issue is first resolved in //FlashArray Purity (OE) versions 6.3.12, 6.4.6. 

  • 6.3.13 or later, and 6.4.7 or later are unaffected.  

Acknowledgements/ References

  • N/A