CVE-2022-43528

Published: Jan 5, 2023Modified: Apr 10, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

Under certain configurations, an attacker can login to Aruba EdgeConnect Enterprise Orchestrator without supplying a multi-factor authentication code. Successful exploitation allows an attacker to login using only a username and password and successfully bypass MFA requirements in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

Affected (16)

Products: Arubanetworks: Aruba Edgeconnect Enterprise Orchestrator

Arubanetworks

1 product

Aruba Edgeconnect Enterprise Orchestrator

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	Up to 8.10.23.40015
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.0.0 to 9.0.7.40110
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.1.0 to 9.1.4.40436
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.2.0 to 9.2.1.40179

Configuration B

4 vulnerable

Vulnerable Software	Affected Versions
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	Up to 8.10.23.40015
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.0.0 to 9.0.7.40110
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.1.0 to 9.1.4.40436
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.2.0 to 9.2.1.40179

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	Up to 8.10.23.40015
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.0.0 to 9.0.7.40110
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.1.0 to 9.1.4.40436
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.2.0 to 9.2.1.40179

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	Up to 8.10.23.40015
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.0.0 to 9.0.7.40110
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.1.0 to 9.1.4.40436
Arubanetworks Aruba Edgeconnect Enterprise Orchestrator	From 9.2.0 to 9.2.1.40179

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (2)

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-021.txt

Source: security-alert@hpe.com

MitigationVendor Advisory

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-021.txt

Source: af854a3a-2127-422b-91ae-364da2661108

MitigationVendor Advisory

Timeline

No history available yet.