CVE-2022-23701 - OpenCVE

A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. This vulnerability could be remotely exploited to allow an attacker to supply invalid input to the iLO 4 webserver, causing it to respond with a redirect to an attacker-controlled domain. HPE has provided a firmware update to resolve this vulnerability in HPE Integrated Lights-Out 4 (iLO 4).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hpe	Integrated Lights-out Integrated Lights-out 4

Configuration 1 [-]

AND

cpe:2.3:o:hpe:integrated_lights-out:*:*:*:*:*:*:*:*

cpe:2.3:h:hpe:integrated_lights-out_4:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04249en_us

History

No history.

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2022-02-24T21:05:21

Updated: 2024-08-03T03:51:45.987Z

Reserved: 2022-01-19T00:00:00

Link: CVE-2022-23701

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-24T22:15:08.393

Modified: 2022-03-08T16:05:27.603

Link: CVE-2022-23701

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "HPE Integrated Lights-Out 4 (iLO 4)", "vendor": "n/a", "versions": [{"status": "affected", "version": "Prior to 2.60"}]}], "descriptions": [{"lang": "en", "value": "A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. This vulnerability could be remotely exploited to allow an attacker to supply invalid input to the iLO 4 webserver, causing it to respond with a redirect to an attacker-controlled domain. HPE has provided a firmware update to resolve this vulnerability in HPE Integrated Lights-Out 4 (iLO 4)."}], "problemTypes": [{"descriptions": [{"description": "remote host header injection", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-02-24T21:05:21", "orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04249en_us"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-alert@hpe.com", "ID": "CVE-2022-23701", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HPE Integrated Lights-Out 4 (iLO 4)", "version": {"version_data": [{"version_value": "Prior to 2.60"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. This vulnerability could be remotely exploited to allow an attacker to supply invalid input to the iLO 4 webserver, causing it to respond with a redirect to an attacker-controlled domain. HPE has provided a firmware update to resolve this vulnerability in HPE Integrated Lights-Out 4 (iLO 4)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "remote host header injection"}]}]}, "references": {"reference_data": [{"name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04249en_us", "refsource": "MISC", "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04249en_us"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:51:45.987Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04249en_us"}]}]}, "cveMetadata": {"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "assignerShortName": "hpe", "cveId": "CVE-2022-23701", "datePublished": "2022-02-24T21:05:21", "dateReserved": "2022-01-19T00:00:00", "dateUpdated": "2024-08-03T03:51:45.987Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:hpe:integrated_lights-out:*:*:*:*:*:*:*:*", "matchCriteriaId": "CE5D69D3-22A2-4A0B-89BF-8B7F13C13C33", "versionEndExcluding": "2.60", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:hpe:integrated_lights-out_4:-:*:*:*:*:*:*:*", "matchCriteriaId": "FE2AC5EE-E443-46BD-8596-0F396C2CCC95", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A potential remote host header injection security vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) firmware version(s): Prior to 2.60. This vulnerability could be remotely exploited to allow an attacker to supply invalid input to the iLO 4 webserver, causing it to respond with a redirect to an attacker-controlled domain. HPE has provided a firmware update to resolve this vulnerability in HPE Integrated Lights-Out 4 (iLO 4)."}, {"lang": "es", "value": "Se ha identificado una posible vulnerabilidad de seguridad de inyecci\u00f3n de encabezado de host remoto en HPE Integrated Lights-Out 4 (iLO 4) versiones de firmware: Anteriores a 2.60. Esta vulnerabilidad podr\u00eda ser explotada remotamente para permitir a un atacante suministrar entradas no v\u00e1lidas al servidor web de iLO 4, causando que responda con un redireccionamiento a un dominio controlado por el atacante. HPE ha proporcionado una actualizaci\u00f3n de firmware para resolver esta vulnerabilidad en HPE Integrated Lights-Out 4 (iLO 4)"}], "id": "CVE-2022-23701", "lastModified": "2022-03-08T16:05:27.603", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-24T22:15:08.393", "references": [{"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf04249en_us"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}