gsd-2023-22790
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-22790",
"id": "GSD-2023-22790"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-22790"
],
"details": "Multiple authenticated command injection vulnerabilities\u00a0exist in the Aruba InstantOS and ArubaOS 10 command line\u00a0interface. Successful exploitation of these vulnerabilities\u00a0result in the ability to execute arbitrary commands as a\u00a0privileged user on the underlying operating system.",
"id": "GSD-2023-22790",
"modified": "2023-12-13T01:20:42.960352Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-alert@hpe.com",
"ID": "CVE-2023-22790",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Aruba Access Points running InstantOS and ArubaOS 10",
"version": {
"version_data": [
{
"version_value": "not down converted",
"x_cve_json_5_version_data": {
"defaultStatus": "affected",
"versions": [
{
"status": "affected",
"version": "Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below"
},
{
"status": "affected",
"version": "Aruba InstantOS 6.5.x: 6.5.4.23 and below"
},
{
"status": "affected",
"version": "Aruba InstantOS 8.6.x: 8.6.0.19 and below"
},
{
"status": "affected",
"version": "Aruba InstantOS 8.10.x: 8.10.0.4 and below"
},
{
"status": "affected",
"version": "ArubaOS 10.3.x: 10.3.1.0 and below"
},
{
"status": "affected",
"version": "See reference document for further details"
}
]
}
}
]
}
}
]
},
"vendor_name": "Hewlett Packard Enterprise (HPE)"
}
]
}
},
"credits": [
{
"lang": "en",
"value": "Daniel Jensen (@dozernz)"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple authenticated command injection vulnerabilities\u00a0exist in the Aruba InstantOS and ArubaOS 10 command line\u00a0interface. Successful exploitation of these vulnerabilities\u00a0result in the ability to execute arbitrary commands as a\u00a0privileged user on the underlying operating system."
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt",
"refsource": "MISC",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.3.1.0",
"versionStartIncluding": "10.3.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "8.6.0.0",
"versionStartIncluding": "8.4.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.9.0.0",
"versionStartIncluding": "8.7.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.4.4.8-4.2.4.20",
"versionStartIncluding": "6.4.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.5.4.23",
"versionStartIncluding": "6.5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.6.0.19",
"versionStartIncluding": "8.6.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "8.10.0.4",
"versionStartIncluding": "8.10.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-alert@hpe.com",
"ID": "CVE-2023-22790"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Multiple authenticated command injection vulnerabilities\u00a0exist in the Aruba InstantOS and ArubaOS 10 command line\u00a0interface. Successful exploitation of these vulnerabilities\u00a0result in the ability to execute arbitrary commands as a\u00a0privileged user on the underlying operating system."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2023-05-12T16:03Z",
"publishedDate": "2023-05-08T15:15Z"
}
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.