CVE-2022-37915

A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to a complete system compromise of Aruba EdgeConnect Enterprise Orchestration with versions 9.1.x branch only, Any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197, Orchestrators upgraded to 9.1.x were not affected.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:on-premises:*:*:*

History

01 Nov 2022, 14:43

Type	Values Removed	Values Added
References	~~(MISC) https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt -~~	(MISC) https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt - Mitigation, Vendor Advisory
CPE		cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::on-premises:::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CWE		NVD-CWE-noinfo

28 Oct 2022, 02:33

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-10-28 02:15

Updated : 2024-02-04 22:51

NVD link : CVE-2022-37915

Mitre link : CVE-2022-37915

CVE.ORG link : CVE-2022-37915

JSON object : View

Products Affected

arubanetworks

aruba_edgeconnect_enterprise_orchestrator

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-37915", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-10-28T02:15:17.600", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-015.txt", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-alert@hpe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to a complete system compromise of Aruba EdgeConnect Enterprise Orchestration with versions 9.1.x branch only, Any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197, Orchestrators upgraded to 9.1.x were not affected."}, {"lang": "es", "value": "Una vulnerabilidad en la interfaz de administraci\u00f3n basada en web de Aruba EdgeConnect Enterprise Orchestrator podr\u00eda permitir que un atacante remoto no autenticado ejecute comandos arbitrarios en el host subyacente. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir a un atacante ejecutar comandos arbitrarios en el sistema operativo subyacente, lo que provocar\u00eda un compromiso completo del sistema de Aruba EdgeConnect Enterprise Orchestration solo con la rama 9.1.x, cualquier Orchestrator 9.1.x instanciado como una nueva m\u00e1quina con una versi\u00f3n Antes de 9.1.3.40197, los orquestadores actualizados a 9.1.x no se ve\u00edan afectados."}], "lastModified": "2022-11-01T14:43:23.570", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:on-premises:*:*:*", "vulnerable": true, "matchCriteriaId": "CAD6FA14-46EA-4CD0-A4C0-4299F9C48539", "versionEndExcluding": "9.1.3.40197", "versionStartIncluding": "9.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@hpe.com"}