CVE-2022-23683

Published: Sep 6, 2022Modified: Nov 21, 2024

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

Authenticated command injection vulnerabilities exist in the AOS-CX Network Analytics Engine via NAE scripts. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system, leading to a complete compromise of the switch running AOS-CX in ArubaOS-CX Switches version(s): AOS-CX 10.10.xxxx: 10.10.0002 and below, AOS-CX 10.09.xxxx: 10.09.1030 and below, AOS-CX 10.08.xxxx: 10.08.1070 and below, AOS-CX 10.06.xxxx: 10.06.0210 and below. Aruba has released upgrades for ArubaOS-CX Switch Devices that address these security vulnerabilities.

Affected (4)

Products: Arubanetworks: Aos Cx

Arubanetworks

1 product

Aos Cx

Configuration A

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 10000	All versions

Configuration B

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 8325	All versions

Configuration C

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 8320	All versions

Configuration D

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 9300	All versions

Configuration E

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 8360	All versions

Configuration F

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 6400	All versions

Configuration G

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 6300	All versions

Configuration H

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 6200f	All versions

Configuration I

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 6100	All versions

Configuration J

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 6000	All versions

Configuration K

1 platform

Running on/with	Platform Versions
Arubanetworks Cx 4100i	All versions

Configuration L

4 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Arubanetworks Aos Cx	From 10.06.0000 to 10.06.0220
Arubanetworks Aos Cx	From 10.08.0000 to 10.08.1080
Arubanetworks Aos Cx	From 10.09.0000 to 10.09.1040
Arubanetworks Aos Cx	From 10.10.0000 to 10.10.1000

Running on/with	Platform Versions
Arubanetworks Cx 8400	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-012.txt

Source: security-alert@hpe.com

Vendor Advisory

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-012.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.