Lucene search

[email protected]CVE-2023-37427

HistoryAug 22, 2023 - 7:16 p.m.

CVE-2023-37427

2023-08-2219:16:37

[email protected]

web.nvd.nist.gov

cve-2023-37427

edgeconnect

sd-wan orchestrator

vulnerability

remote attacker

arbitrary commands

system compromise

nvd

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.2%

JSON

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.

Affected configurations

NVD

Node

arubanetworksedgeconnect_sd-wan_orchestratorRange9.0.0–9.0.5

arubanetworksedgeconnect_sd-wan_orchestratorRange9.1.0–9.1.7

arubanetworksedgeconnect_sd-wan_orchestratorRange9.2.0–9.2.5

arubanetworksedgeconnect_sd-wan_orchestratorMatch9.3.0

CPENameOperatorVersion
arubanetworks:edgeconnect_sd-wan_orchestratorarubanetworks edgeconnect sd-wan orchestratorle9.0.5
arubanetworks:edgeconnect_sd-wan_orchestratorarubanetworks edgeconnect sd-wan orchestratorle9.1.7
arubanetworks:edgeconnect_sd-wan_orchestratorarubanetworks edgeconnect sd-wan orchestratorle9.2.5
arubanetworks:edgeconnect_sd-wan_orchestratorarubanetworks edgeconnect sd-wan orchestratoreq9.3.0

CPE	Name	Operator	Version
arubanetworks:edgeconnect_sd-wan_orchestrator	arubanetworks edgeconnect sd-wan orchestrator	le	9.0.5
arubanetworks:edgeconnect_sd-wan_orchestrator	arubanetworks edgeconnect sd-wan orchestrator	le	9.1.7
arubanetworks:edgeconnect_sd-wan_orchestrator	arubanetworks edgeconnect sd-wan orchestrator	le	9.2.5
arubanetworks:edgeconnect_sd-wan_orchestrator	arubanetworks edgeconnect sd-wan orchestrator	eq	9.3.0

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "EdgeConnect SD-WAN Orchestrator",
    "vendor": "Hewlett Packard Enterprise (HPE)",
    "versions": [
      {
        "lessThanOrEqual": "<=9.3.0",
        "status": "affected",
        "version": "Orchestrator 9.3.x",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "<=9.2.5",
        "status": "affected",
        "version": "Orchestrator 9.2.x",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "<=9.1.7",
        "status": "affected",
        "version": "Orchestrator 9.1.x",
        "versionType": "semver"
      }
    ]
  }
]

References

www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

7.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

26.2%

JSON

Related for CVE-2023-37427

nvd1 prion1 cvelist1