CVE-2018-7063

Published: Dec 7, 2018Modified: Nov 21, 2024

8.1

Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

In Aruba ClearPass, disabled API admins can still perform read/write operations. In certain circumstances, API admins in ClearPass which have been disabled may still be able to perform read/write operations on parts of the XML API. This can lead to unauthorized access to the API and complete compromise of the ClearPass instance if an attacker knows of the existence of these accounts.

Affected (2)

Products: Arubanetworks: Clearpass Policy Manager

1 product

Clearpass Policy Manager

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Arubanetworks Clearpass Policy Manager	Before 6.6.10
Arubanetworks Clearpass Policy Manager	From 6.7.0 to 6.7.3

Related CWEs

Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

References (2)

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-007.txt

Source: security-alert@hpe.com

Vendor Advisory

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-007.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.