CVE-2023-37424

Published: Aug 22, 2023Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host if certain preconditions outside of the attacker's control are met. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Affected (4)

Products: Arubanetworks: Edgeconnect Sd Wan Orchestrator

Arubanetworks

1 product

Edgeconnect Sd Wan Orchestrator

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.0.0 to 9.0.5
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.1.0 to 9.1.7
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.2.0 to 9.2.5
Arubanetworks Edgeconnect Sd Wan Orchestrator	Version 9.3.0

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt

Source: security-alert@hpe.com

Vendor Advisory

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.