Lucene search

HpeCVELIST:CVE-2023-25589

HistoryMar 14, 2023 - 2:44 p.m.

CVE-2023-25589 Unauthenticated Arbitrary User Creation Leads to Complete System Compromise

2023-03-1414:44:57

hpe

www.cve.org

web-based interface

unauthenticated

remote attacker

arbitrary users

exploit

cluster compromise

cve-2023-25589

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.003

Percentile

69.2%

JSON

A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to create arbitrary users on the platform. A successful exploit allows an attacker to achieve total cluster compromise.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Aruba ClearPass Policy Manager",
    "vendor": "Hewlett Packard Enterprise (HPE)",
    "versions": [
      {
        "status": "affected",
        "version": "6.11.1 and below"
      },
      {
        "status": "affected",
        "version": "6.10.8 and below"
      },
      {
        "status": "affected",
        "version": "6.9.13 and below"
      }
    ]
  }
]

References

www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-003.txt

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.003

Percentile

69.2%

JSON

Related for CVELIST:CVE-2023-25589