Search criteria
66 vulnerabilities found for Aruba ClearPass Policy Manager by Hewlett Packard Enterprise (HPE)
CVE-2024-26302 (GCVE-0-2024-26302)
Vulnerability from cvelistv5 – Published: 2024-02-27 22:11 – Updated: 2025-08-27 15:41
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.
Severity ?
4.8 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Aruba ClearPass Policy Manager engineering team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:11:03.319147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T15:41:33.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aruba ClearPass Policy Manager engineering team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.\u003c/p\u003e"
}
],
"value": "A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:11:37.929Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26302",
"datePublished": "2024-02-27T22:11:37.929Z",
"dateReserved": "2024-02-16T19:42:43.186Z",
"dateUpdated": "2025-08-27T15:41:33.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26301 (GCVE-0-2024-26301)
Vulnerability from cvelistv5 – Published: 2024-02-27 22:10 – Updated: 2025-03-13 16:43
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.
Severity ?
6.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Niels De Carpentier
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T16:54:02.591331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T16:43:00.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Niels De Carpentier"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.\u003c/p\u003e"
}
],
"value": "A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:10:54.804Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26301",
"datePublished": "2024-02-27T22:10:54.804Z",
"dateReserved": "2024-02-16T19:42:43.186Z",
"dateUpdated": "2025-03-13T16:43:00.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26300 (GCVE-0-2024-26300)
Vulnerability from cvelistv5 – Published: 2024-02-27 22:06 – Updated: 2024-11-07 11:07
VLAI?
Summary
A vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
Severity ?
6.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Kajetan Rostojek (@kaje11)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26300",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T20:30:02.698599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T11:07:53.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kajetan Rostojek (@kaje11)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim\u0027s browser in the context of the affected interface.\u003c/p\u003e"
}
],
"value": "A vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim\u0027s browser in the context of the affected interface.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:06:49.616Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26300",
"datePublished": "2024-02-27T22:06:49.616Z",
"dateReserved": "2024-02-16T19:42:43.186Z",
"dateUpdated": "2024-11-07T11:07:53.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26299 (GCVE-0-2024-26299)
Vulnerability from cvelistv5 – Published: 2024-02-27 22:05 – Updated: 2024-11-04 18:44
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
Severity ?
6.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
S4thi5h
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:16:03.637814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T18:44:31.292Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "S4thi5h"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim\u0027s browser in the context of the affected interface.\u003c/p\u003e"
}
],
"value": "A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim\u0027s browser in the context of the affected interface.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:05:37.624Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26299",
"datePublished": "2024-02-27T22:05:37.624Z",
"dateReserved": "2024-02-16T19:42:43.186Z",
"dateUpdated": "2024-11-04T18:44:31.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26298 (GCVE-0-2024-26298)
Vulnerability from cvelistv5 – Published: 2024-02-27 22:04 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Kajetan Rostojek (@kaje11)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:31:43.549918Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:06:46.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kajetan Rostojek (@kaje11)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:04:58.511Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26298",
"datePublished": "2024-02-27T22:04:58.511Z",
"dateReserved": "2024-02-16T19:42:43.185Z",
"dateUpdated": "2024-08-02T00:07:19.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26297 (GCVE-0-2024-26297)
Vulnerability from cvelistv5 – Published: 2024-02-27 22:03 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Kajetan Rostojek (@kaje11)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:05:17.518713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:05:48.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kajetan Rostojek (@kaje11)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:03:55.507Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26297",
"datePublished": "2024-02-27T22:03:55.507Z",
"dateReserved": "2024-02-16T19:42:43.185Z",
"dateUpdated": "2024-08-02T00:07:19.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26296 (GCVE-0-2024-26296)
Vulnerability from cvelistv5 – Published: 2024-02-27 21:57 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Kajetan Rostojek (@kaje11)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:42:16.443596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:04:58.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kajetan Rostojek (@kaje11)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T21:57:24.846Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26296",
"datePublished": "2024-02-27T21:57:24.846Z",
"dateReserved": "2024-02-16T19:42:43.185Z",
"dateUpdated": "2024-08-02T00:07:19.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26295 (GCVE-0-2024-26295)
Vulnerability from cvelistv5 – Published: 2024-02-27 21:56 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Daniel Jensen (@dozernz)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:06:06.521964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:06:09.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Jensen (@dozernz)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T21:56:22.295Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26295",
"datePublished": "2024-02-27T21:56:22.295Z",
"dateReserved": "2024-02-16T19:42:43.185Z",
"dateUpdated": "2024-08-02T00:07:19.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26294 (GCVE-0-2024-26294)
Vulnerability from cvelistv5 – Published: 2024-02-27 21:54 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Daniel Jensen (@dozernz)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:05:55.708273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:05:58.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:18.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Jensen (@dozernz)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T21:54:21.857Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26294",
"datePublished": "2024-02-27T21:54:21.857Z",
"dateReserved": "2024-02-16T19:42:43.184Z",
"dateUpdated": "2024-08-02T00:07:18.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43510 (GCVE-0-2023-43510)
Vulnerability from cvelistv5 – Published: 2023-10-24 18:14 – Updated: 2024-09-11 17:17
VLAI?
Summary
A vulnerability in the ClearPass Policy Manager web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a non-privileged user on the underlying operating system leading to partial system compromise.
Severity ?
4.7 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Daniel Jensen (@dozernz)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:42.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:16:43.166442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:17:15.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Jensen (@dozernz)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the ClearPass Policy Manager web-based\u0026nbsp;management interface allows remote authenticated users to\u0026nbsp;run arbitrary commands on the underlying host. A successful\u0026nbsp;exploit could allow an attacker to execute arbitrary\u0026nbsp;commands as a non-privileged user on the underlying\u0026nbsp;operating system leading to partial system compromise."
}
],
"value": "A vulnerability in the ClearPass Policy Manager web-based\u00a0management interface allows remote authenticated users to\u00a0run arbitrary commands on the underlying host. A successful\u00a0exploit could allow an attacker to execute arbitrary\u00a0commands as a non-privileged user on the underlying\u00a0operating system leading to partial system compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:14:37.992Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface Leading to Partial System Compromise",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43510",
"datePublished": "2023-10-24T18:14:37.992Z",
"dateReserved": "2023-09-19T14:41:06.499Z",
"dateUpdated": "2024-09-11T17:17:15.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43509 (GCVE-0-2023-43509)
Vulnerability from cvelistv5 – Published: 2023-10-24 18:13 – Updated: 2024-09-11 17:42
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to send notifications to computers that are running ClearPass OnGuard. These notifications can then be used to phish users or trick them into downloading malicious software.
Severity ?
5.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Luke Young (bugcrowd.com/bored-engineer)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:42.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hpe:aruba_clear_pass_policy_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aruba_clear_pass_policy_manager",
"vendor": "hpe",
"versions": [
{
"lessThanOrEqual": "6.11.4",
"status": "affected",
"version": "6.11x",
"versionType": "custom"
},
{
"lessThan": "6.10.8",
"status": "affected",
"version": "6.10x",
"versionType": "custom"
},
{
"lessThan": "6.9.13",
"status": "affected",
"version": "6.9x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:35:06.867846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:42:00.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Luke Young (bugcrowd.com/bored-engineer)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the web-based management interface of\u0026nbsp;ClearPass Policy Manager could allow an unauthenticated\u0026nbsp;remote attacker to send notifications to computers that are\u0026nbsp;running ClearPass OnGuard. These notifications can then be\u0026nbsp;used to phish users or trick them into downloading malicious\u0026nbsp;software."
}
],
"value": "A vulnerability in the web-based management interface of\u00a0ClearPass Policy Manager could allow an unauthenticated\u00a0remote attacker to send notifications to computers that are\u00a0running ClearPass OnGuard. These notifications can then be\u00a0used to phish users or trick them into downloading malicious\u00a0software."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:13:15.076Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Endpoint Allows Sending Arbitrary OnGuard Notifications",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43509",
"datePublished": "2023-10-24T18:13:15.076Z",
"dateReserved": "2023-09-19T14:41:06.499Z",
"dateUpdated": "2024-09-11T17:42:00.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43508 (GCVE-0-2023-43508)
Vulnerability from cvelistv5 – Published: 2023-10-24 18:11 – Updated: 2024-09-11 14:29
VLAI?
Summary
Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of these vulnerabilities allow an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform.
Severity ?
6.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Mateusz Dabrowski (dbrwsky)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43508",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T14:16:07.728074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T14:29:44.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mateusz Dabrowski (dbrwsky)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerabilities in the web-based management interface of\u0026nbsp;ClearPass Policy Manager allow an attacker with read-only\u0026nbsp;privileges to perform actions that change the state of the\u0026nbsp;ClearPass Policy Manager instance. Successful exploitation\u0026nbsp;of these vulnerabilities allow an attacker to complete\u0026nbsp;state-changing actions in the web-based management interface\u0026nbsp;that should not be allowed by their current level of\u0026nbsp;authorization on the platform."
}
],
"value": "Vulnerabilities in the web-based management interface of\u00a0ClearPass Policy Manager allow an attacker with read-only\u00a0privileges to perform actions that change the state of the\u00a0ClearPass Policy Manager instance. Successful exploitation\u00a0of these vulnerabilities allow an attacker to complete\u00a0state-changing actions in the web-based management interface\u00a0that should not be allowed by their current level of\u00a0authorization on the platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:11:58.092Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authorization Bypass Leading to Privilege Escalation in ClearPass Policy Manager Web-Based Management Interface",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43508",
"datePublished": "2023-10-24T18:11:58.092Z",
"dateReserved": "2023-09-19T14:41:06.499Z",
"dateUpdated": "2024-09-11T14:29:44.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43507 (GCVE-0-2023-43507)
Vulnerability from cvelistv5 – Published: 2023-10-24 18:10 – Updated: 2024-09-11 17:46
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Luke Young (bugcrowd.com/bored_engineer)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hpe:aruba_clear_pass_policy_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aruba_clear_pass_policy_manager",
"vendor": "hpe",
"versions": [
{
"lessThanOrEqual": "6.11.4",
"status": "affected",
"version": "6.11x",
"versionType": "custom"
},
{
"lessThan": "6.10.8",
"status": "affected",
"version": "6.10x",
"versionType": "custom"
},
{
"lessThan": "6.9.13",
"status": "affected",
"version": "6.9x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:43:03.604273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:46:38.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Luke Young (bugcrowd.com/bored_engineer)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the web-based management interface of\u0026nbsp;ClearPass Policy Manager could allow an authenticated\u0026nbsp;remote attacker to conduct SQL injection attacks against\u0026nbsp;the ClearPass Policy Manager instance. An attacker could\u0026nbsp;exploit this vulnerability to obtain and modify sensitive\u0026nbsp;information in the underlying database potentially leading\u0026nbsp;to complete compromise of the ClearPass Policy Manager\u0026nbsp;cluster."
}
],
"value": "A vulnerability in the web-based management interface of\u00a0ClearPass Policy Manager could allow an authenticated\u00a0remote attacker to conduct SQL injection attacks against\u00a0the ClearPass Policy Manager instance. An attacker could\u00a0exploit this vulnerability to obtain and modify sensitive\u00a0information in the underlying database potentially leading\u00a0to complete compromise of the ClearPass Policy Manager\u00a0cluster."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:10:06.158Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated SQL Injection Vulnerability in ClearPass Policy Manager Web-based Management Interface",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43507",
"datePublished": "2023-10-24T18:10:06.158Z",
"dateReserved": "2023-09-19T14:41:06.499Z",
"dateUpdated": "2024-09-11T17:46:38.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43506 (GCVE-0-2023-43506)
Vulnerability from cvelistv5 – Published: 2023-10-24 18:08 – Updated: 2024-09-11 17:50
VLAI?
Summary
A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.
Severity ?
7.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Luke Young (bugcrowd.com/bored_engineer)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:42.868Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hpe:aruba_clear_pass_policy_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aruba_clear_pass_policy_manager",
"vendor": "hpe",
"versions": [
{
"lessThanOrEqual": "6.11.4",
"status": "affected",
"version": "6.11x",
"versionType": "custom"
},
{
"lessThan": "6.10.8",
"status": "affected",
"version": "6.10x",
"versionType": "custom"
},
{
"lessThan": "6.9.13",
"status": "affected",
"version": "6.9x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:47:31.798835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:50:00.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Luke Young (bugcrowd.com/bored_engineer)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the ClearPass OnGuard Linux agent could\u0026nbsp;allow malicious users on a Linux instance to elevate their\u0026nbsp;user privileges to those of a higher role. A successful\u0026nbsp;exploit allows malicious users to execute arbitrary code\u0026nbsp;with root level privileges on the Linux instance."
}
],
"value": "A vulnerability in the ClearPass OnGuard Linux agent could\u00a0allow malicious users on a Linux instance to elevate their\u00a0user privileges to those of a higher role. A successful\u00a0exploit allows malicious users to execute arbitrary code\u00a0with root level privileges on the Linux instance."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:08:31.010Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local Privilege Escalation in ClearPass OnGuard Linux Agent",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43506",
"datePublished": "2023-10-24T18:08:31.010Z",
"dateReserved": "2023-09-19T14:41:06.498Z",
"dateUpdated": "2024-09-11T17:50:00.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25596 (GCVE-0-2023-25596)
Vulnerability from cvelistv5 – Published: 2023-03-14 14:57 – Updated: 2025-02-27 15:01
VLAI?
Summary
A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.
Severity ?
4.5 (Medium)
CWE
- n/a
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
6.11.1 and below
Affected: 6.10.8 and below Affected: 6.9.13 and below |
Credits
the Aruba ClearPass Policy Manager engineering team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-003.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T15:01:44.261264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:01:58.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "6.11.1 and below"
},
{
"status": "affected",
"version": "6.10.8 and below"
},
{
"status": "affected",
"version": "6.9.13 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "the Aruba ClearPass Policy Manager engineering team"
}
],
"datePublic": "2023-03-14T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": " A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further\u0026nbsp;access to network services supported by ClearPass Policy Manager."
}
],
"value": " A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further\u00a0access to network services supported by ClearPass Policy Manager."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-22T04:39:15.803Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-003.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Sensitive Information Disclosure in ClearPass Policy Manager",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-25596",
"datePublished": "2023-03-14T14:57:27.104Z",
"dateReserved": "2023-02-07T20:24:22.480Z",
"dateUpdated": "2025-02-27T15:01:58.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26302 (GCVE-0-2024-26302)
Vulnerability from nvd – Published: 2024-02-27 22:11 – Updated: 2025-08-27 15:41
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.
Severity ?
4.8 (Medium)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Aruba ClearPass Policy Manager engineering team
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:11:03.319147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T15:41:33.954Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.011Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Aruba ClearPass Policy Manager engineering team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.\u003c/p\u003e"
}
],
"value": "A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:11:37.929Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26302",
"datePublished": "2024-02-27T22:11:37.929Z",
"dateReserved": "2024-02-16T19:42:43.186Z",
"dateUpdated": "2025-08-27T15:41:33.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26301 (GCVE-0-2024-26301)
Vulnerability from nvd – Published: 2024-02-27 22:10 – Updated: 2025-03-13 16:43
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.
Severity ?
6.5 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Niels De Carpentier
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.580Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26301",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T16:54:02.591331Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T16:43:00.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Niels De Carpentier"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.\u003c/p\u003e"
}
],
"value": "A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:10:54.804Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26301",
"datePublished": "2024-02-27T22:10:54.804Z",
"dateReserved": "2024-02-16T19:42:43.186Z",
"dateUpdated": "2025-03-13T16:43:00.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26300 (GCVE-0-2024-26300)
Vulnerability from nvd – Published: 2024-02-27 22:06 – Updated: 2024-11-07 11:07
VLAI?
Summary
A vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
Severity ?
6.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Kajetan Rostojek (@kaje11)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26300",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T20:30:02.698599Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-07T11:07:53.761Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.150Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kajetan Rostojek (@kaje11)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim\u0027s browser in the context of the affected interface.\u003c/p\u003e"
}
],
"value": "A vulnerability in the guest interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim\u0027s browser in the context of the affected interface.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:06:49.616Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26300",
"datePublished": "2024-02-27T22:06:49.616Z",
"dateReserved": "2024-02-16T19:42:43.186Z",
"dateUpdated": "2024-11-07T11:07:53.761Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26299 (GCVE-0-2024-26299)
Vulnerability from nvd – Published: 2024-02-27 22:05 – Updated: 2024-11-04 18:44
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
Severity ?
6.6 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
S4thi5h
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26299",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:16:03.637814Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T18:44:31.292Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.082Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "S4thi5h"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim\u0027s browser in the context of the affected interface.\u003c/p\u003e"
}
],
"value": "A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim\u0027s browser in the context of the affected interface.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:05:37.624Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26299",
"datePublished": "2024-02-27T22:05:37.624Z",
"dateReserved": "2024-02-16T19:42:43.186Z",
"dateUpdated": "2024-11-04T18:44:31.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26298 (GCVE-0-2024-26298)
Vulnerability from nvd – Published: 2024-02-27 22:04 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Kajetan Rostojek (@kaje11)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26298",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:31:43.549918Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:06:46.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.557Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kajetan Rostojek (@kaje11)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:04:58.511Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26298",
"datePublished": "2024-02-27T22:04:58.511Z",
"dateReserved": "2024-02-16T19:42:43.185Z",
"dateUpdated": "2024-08-02T00:07:19.557Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26297 (GCVE-0-2024-26297)
Vulnerability from nvd – Published: 2024-02-27 22:03 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Kajetan Rostojek (@kaje11)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26297",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:05:17.518713Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:05:48.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.261Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kajetan Rostojek (@kaje11)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T22:03:55.507Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26297",
"datePublished": "2024-02-27T22:03:55.507Z",
"dateReserved": "2024-02-16T19:42:43.185Z",
"dateUpdated": "2024-08-02T00:07:19.261Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26296 (GCVE-0-2024-26296)
Vulnerability from nvd – Published: 2024-02-27 21:57 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Kajetan Rostojek (@kaje11)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26296",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-28T18:42:16.443596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:04:58.388Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.027Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Kajetan Rostojek (@kaje11)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T21:57:24.846Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26296",
"datePublished": "2024-02-27T21:57:24.846Z",
"dateReserved": "2024-02-16T19:42:43.185Z",
"dateUpdated": "2024-08-02T00:07:19.027Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26295 (GCVE-0-2024-26295)
Vulnerability from nvd – Published: 2024-02-27 21:56 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Daniel Jensen (@dozernz)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:06:06.521964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:06:09.062Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:19.403Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Jensen (@dozernz)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T21:56:22.295Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26295",
"datePublished": "2024-02-27T21:56:22.295Z",
"dateReserved": "2024-02-16T19:42:43.185Z",
"dateUpdated": "2024-08-02T00:07:19.403Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26294 (GCVE-0-2024-26294)
Vulnerability from nvd – Published: 2024-02-27 21:54 – Updated: 2024-08-02 00:07
VLAI?
Summary
Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.12.x: 6.12.0
Affected: ClearPass Policy Manager 6.11.x: 6.11.6 and below Affected: ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below Affected: ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below |
Credits
Daniel Jensen (@dozernz)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.11.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.11.6",
"status": "affected",
"version": "6.11.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.10.8_hotfix_q4_2023",
"status": "affected",
"version": "6.10.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"lessThanOrEqual": "6.9.13_hotfix_q4_2023",
"status": "affected",
"version": "6.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.12.0:*:*:*:*:*:*:*"
],
"defaultStatus": "affected",
"product": "clearpass_policy_manager",
"vendor": "arubanetworks",
"versions": [
{
"status": "affected",
"version": "6.12.0"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-26T17:05:55.708273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-26T17:05:58.925Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T00:07:18.955Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "ClearPass Policy Manager 6.12.x: 6.12.0"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.6 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Jensen (@dozernz)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eVulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\u003c/p\u003e"
}
],
"value": "Vulnerabilities in the ClearPass Policy Manager web-based management interface allow remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-27T21:54:21.857Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-001.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2024-26294",
"datePublished": "2024-02-27T21:54:21.857Z",
"dateReserved": "2024-02-16T19:42:43.184Z",
"dateUpdated": "2024-08-02T00:07:18.955Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43510 (GCVE-0-2023-43510)
Vulnerability from nvd – Published: 2023-10-24 18:14 – Updated: 2024-09-11 17:17
VLAI?
Summary
A vulnerability in the ClearPass Policy Manager web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as a non-privileged user on the underlying operating system leading to partial system compromise.
Severity ?
4.7 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Daniel Jensen (@dozernz)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:42.674Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43510",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:16:43.166442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:17:15.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Daniel Jensen (@dozernz)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the ClearPass Policy Manager web-based\u0026nbsp;management interface allows remote authenticated users to\u0026nbsp;run arbitrary commands on the underlying host. A successful\u0026nbsp;exploit could allow an attacker to execute arbitrary\u0026nbsp;commands as a non-privileged user on the underlying\u0026nbsp;operating system leading to partial system compromise."
}
],
"value": "A vulnerability in the ClearPass Policy Manager web-based\u00a0management interface allows remote authenticated users to\u00a0run arbitrary commands on the underlying host. A successful\u00a0exploit could allow an attacker to execute arbitrary\u00a0commands as a non-privileged user on the underlying\u00a0operating system leading to partial system compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:14:37.992Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Remote Command Injection in ClearPass Policy Manager Web-Based Management Interface Leading to Partial System Compromise",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43510",
"datePublished": "2023-10-24T18:14:37.992Z",
"dateReserved": "2023-09-19T14:41:06.499Z",
"dateUpdated": "2024-09-11T17:17:15.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43509 (GCVE-0-2023-43509)
Vulnerability from nvd – Published: 2023-10-24 18:13 – Updated: 2024-09-11 17:42
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an unauthenticated remote attacker to send notifications to computers that are running ClearPass OnGuard. These notifications can then be used to phish users or trick them into downloading malicious software.
Severity ?
5.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Luke Young (bugcrowd.com/bored-engineer)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:42.755Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hpe:aruba_clear_pass_policy_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aruba_clear_pass_policy_manager",
"vendor": "hpe",
"versions": [
{
"lessThanOrEqual": "6.11.4",
"status": "affected",
"version": "6.11x",
"versionType": "custom"
},
{
"lessThan": "6.10.8",
"status": "affected",
"version": "6.10x",
"versionType": "custom"
},
{
"lessThan": "6.9.13",
"status": "affected",
"version": "6.9x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43509",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:35:06.867846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:42:00.784Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Luke Young (bugcrowd.com/bored-engineer)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the web-based management interface of\u0026nbsp;ClearPass Policy Manager could allow an unauthenticated\u0026nbsp;remote attacker to send notifications to computers that are\u0026nbsp;running ClearPass OnGuard. These notifications can then be\u0026nbsp;used to phish users or trick them into downloading malicious\u0026nbsp;software."
}
],
"value": "A vulnerability in the web-based management interface of\u00a0ClearPass Policy Manager could allow an unauthenticated\u00a0remote attacker to send notifications to computers that are\u00a0running ClearPass OnGuard. These notifications can then be\u00a0used to phish users or trick them into downloading malicious\u00a0software."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:13:15.076Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Endpoint Allows Sending Arbitrary OnGuard Notifications",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43509",
"datePublished": "2023-10-24T18:13:15.076Z",
"dateReserved": "2023-09-19T14:41:06.499Z",
"dateUpdated": "2024-09-11T17:42:00.784Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43508 (GCVE-0-2023-43508)
Vulnerability from nvd – Published: 2023-10-24 18:11 – Updated: 2024-09-11 14:29
VLAI?
Summary
Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of these vulnerabilities allow an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform.
Severity ?
6.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Mateusz Dabrowski (dbrwsky)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.231Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43508",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T14:16:07.728074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T14:29:44.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mateusz Dabrowski (dbrwsky)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Vulnerabilities in the web-based management interface of\u0026nbsp;ClearPass Policy Manager allow an attacker with read-only\u0026nbsp;privileges to perform actions that change the state of the\u0026nbsp;ClearPass Policy Manager instance. Successful exploitation\u0026nbsp;of these vulnerabilities allow an attacker to complete\u0026nbsp;state-changing actions in the web-based management interface\u0026nbsp;that should not be allowed by their current level of\u0026nbsp;authorization on the platform."
}
],
"value": "Vulnerabilities in the web-based management interface of\u00a0ClearPass Policy Manager allow an attacker with read-only\u00a0privileges to perform actions that change the state of the\u00a0ClearPass Policy Manager instance. Successful exploitation\u00a0of these vulnerabilities allow an attacker to complete\u00a0state-changing actions in the web-based management interface\u00a0that should not be allowed by their current level of\u00a0authorization on the platform."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:11:58.092Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authorization Bypass Leading to Privilege Escalation in ClearPass Policy Manager Web-Based Management Interface",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43508",
"datePublished": "2023-10-24T18:11:58.092Z",
"dateReserved": "2023-09-19T14:41:06.499Z",
"dateUpdated": "2024-09-11T14:29:44.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43507 (GCVE-0-2023-43507)
Vulnerability from nvd – Published: 2023-10-24 18:10 – Updated: 2024-09-11 17:46
VLAI?
Summary
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster.
Severity ?
7.2 (High)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Luke Young (bugcrowd.com/bored_engineer)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:43.183Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hpe:aruba_clear_pass_policy_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aruba_clear_pass_policy_manager",
"vendor": "hpe",
"versions": [
{
"lessThanOrEqual": "6.11.4",
"status": "affected",
"version": "6.11x",
"versionType": "custom"
},
{
"lessThan": "6.10.8",
"status": "affected",
"version": "6.10x",
"versionType": "custom"
},
{
"lessThan": "6.9.13",
"status": "affected",
"version": "6.9x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:43:03.604273Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:46:38.200Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Luke Young (bugcrowd.com/bored_engineer)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the web-based management interface of\u0026nbsp;ClearPass Policy Manager could allow an authenticated\u0026nbsp;remote attacker to conduct SQL injection attacks against\u0026nbsp;the ClearPass Policy Manager instance. An attacker could\u0026nbsp;exploit this vulnerability to obtain and modify sensitive\u0026nbsp;information in the underlying database potentially leading\u0026nbsp;to complete compromise of the ClearPass Policy Manager\u0026nbsp;cluster."
}
],
"value": "A vulnerability in the web-based management interface of\u00a0ClearPass Policy Manager could allow an authenticated\u00a0remote attacker to conduct SQL injection attacks against\u00a0the ClearPass Policy Manager instance. An attacker could\u00a0exploit this vulnerability to obtain and modify sensitive\u00a0information in the underlying database potentially leading\u00a0to complete compromise of the ClearPass Policy Manager\u00a0cluster."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:10:06.158Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated SQL Injection Vulnerability in ClearPass Policy Manager Web-based Management Interface",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43507",
"datePublished": "2023-10-24T18:10:06.158Z",
"dateReserved": "2023-09-19T14:41:06.499Z",
"dateUpdated": "2024-09-11T17:46:38.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43506 (GCVE-0-2023-43506)
Vulnerability from nvd – Published: 2023-10-24 18:08 – Updated: 2024-09-11 17:50
VLAI?
Summary
A vulnerability in the ClearPass OnGuard Linux agent could allow malicious users on a Linux instance to elevate their user privileges to those of a higher role. A successful exploit allows malicious users to execute arbitrary code with root level privileges on the Linux instance.
Severity ?
7.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
ClearPass Policy Manager 6.11.x: 6.11.4 and below , ≤ <=6.11.4
(semver)
Affected: ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below Affected: ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below |
Credits
Luke Young (bugcrowd.com/bored_engineer)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:42.868Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:hpe:aruba_clear_pass_policy_manager:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "aruba_clear_pass_policy_manager",
"vendor": "hpe",
"versions": [
{
"lessThanOrEqual": "6.11.4",
"status": "affected",
"version": "6.11x",
"versionType": "custom"
},
{
"lessThan": "6.10.8",
"status": "affected",
"version": "6.10x",
"versionType": "custom"
},
{
"lessThan": "6.9.13",
"status": "affected",
"version": "6.9x",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-11T17:47:31.798835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-11T17:50:00.081Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "\u003c=6.11.4",
"status": "affected",
"version": "ClearPass Policy Manager 6.11.x: 6.11.4 and below",
"versionType": "semver"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below"
},
{
"status": "affected",
"version": "ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Luke Young (bugcrowd.com/bored_engineer)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A vulnerability in the ClearPass OnGuard Linux agent could\u0026nbsp;allow malicious users on a Linux instance to elevate their\u0026nbsp;user privileges to those of a higher role. A successful\u0026nbsp;exploit allows malicious users to execute arbitrary code\u0026nbsp;with root level privileges on the Linux instance."
}
],
"value": "A vulnerability in the ClearPass OnGuard Linux agent could\u00a0allow malicious users on a Linux instance to elevate their\u00a0user privileges to those of a higher role. A successful\u00a0exploit allows malicious users to execute arbitrary code\u00a0with root level privileges on the Linux instance."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T18:08:31.010Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Local Privilege Escalation in ClearPass OnGuard Linux Agent",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-43506",
"datePublished": "2023-10-24T18:08:31.010Z",
"dateReserved": "2023-09-19T14:41:06.498Z",
"dateUpdated": "2024-09-11T17:50:00.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25596 (GCVE-0-2023-25596)
Vulnerability from nvd – Published: 2023-03-14 14:57 – Updated: 2025-02-27 15:01
VLAI?
Summary
A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.
Severity ?
4.5 (Medium)
CWE
- n/a
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | Aruba ClearPass Policy Manager |
Affected:
6.11.1 and below
Affected: 6.10.8 and below Affected: 6.9.13 and below |
Credits
the Aruba ClearPass Policy Manager engineering team
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:25:19.318Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-003.txt"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T15:01:44.261264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-312",
"description": "CWE-312 Cleartext Storage of Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:01:58.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aruba ClearPass Policy Manager",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"status": "affected",
"version": "6.11.1 and below"
},
{
"status": "affected",
"version": "6.10.8 and below"
},
{
"status": "affected",
"version": "6.9.13 and below"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "the Aruba ClearPass Policy Manager engineering team"
}
],
"datePublic": "2023-03-14T19:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": " A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further\u0026nbsp;access to network services supported by ClearPass Policy Manager."
}
],
"value": " A vulnerability exists in ClearPass Policy Manager that allows for an attacker with administrative privileges to access sensitive information in a cleartext format. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further\u00a0access to network services supported by ClearPass Policy Manager."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-22T04:39:15.803Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-003.txt"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated Sensitive Information Disclosure in ClearPass Policy Manager",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2023-25596",
"datePublished": "2023-03-14T14:57:27.104Z",
"dateReserved": "2023-02-07T20:24:22.480Z",
"dateUpdated": "2025-02-27T15:01:58.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}