CVE-2023-22790 - OpenCVE

Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Arubanetworks	Arubaos
Hp	Instantos

Configuration 1 [-]

OR	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::

No data.

References

Link	Providers
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt

History

No history.

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2023-05-08T14:08:43.190Z

Updated: 2024-08-02T10:20:30.337Z

Reserved: 2023-01-06T15:24:20.511Z

Link: CVE-2023-22790

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-05-08T15:15:10.573

Modified: 2023-05-12T16:03:22.980

Link: CVE-2023-22790

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-22790", "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "state": "PUBLISHED", "assignerShortName": "hpe", "dateReserved": "2023-01-06T15:24:20.511Z", "datePublished": "2023-05-08T14:08:43.190Z", "dateUpdated": "2024-08-02T10:20:30.337Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Aruba Access Points running InstantOS and ArubaOS 10", "vendor": "Hewlett Packard Enterprise (HPE)", "versions": [{"status": "affected", "version": "Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below"}, {"status": "affected", "version": "Aruba InstantOS 6.5.x: 6.5.4.23 and below"}, {"status": "affected", "version": "Aruba InstantOS 8.6.x: 8.6.0.19 and below"}, {"status": "affected", "version": "Aruba InstantOS 8.10.x: 8.10.0.4 and below"}, {"status": "affected", "version": "ArubaOS 10.3.x: 10.3.1.0 and below"}, {"status": "affected", "version": "See reference document for further details"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Jensen (@dozernz)"}], "datePublic": "2023-05-09T20:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system."}], "value": "Multiple authenticated command injection vulnerabilities\u00a0exist in the Aruba InstantOS and ArubaOS 10 command line\u00a0interface. Successful exploitation of these vulnerabilities\u00a0result in the ability to execute arbitrary commands as a\u00a0privileged user on the underlying operating system."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en"}]}], "providerMetadata": {"orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe", "dateUpdated": "2023-05-08T14:08:43.190Z"}, "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt"}], "source": {"discovery": "UNKNOWN"}, "title": "Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:30.337Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9226A2A-7048-4300-AC20-7629AA05E9D9", "versionEndIncluding": "10.3.1.0", "versionStartIncluding": "10.3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "matchCriteriaId": "93F7D378-2A4F-4A5B-BF1D-3AF38B61C626", "versionEndIncluding": "6.4.4.8-4.2.4.20", "versionStartIncluding": "6.4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "matchCriteriaId": "286BD7C8-D7AB-4DEB-AF86-08E246230A50", "versionEndIncluding": "6.5.4.23", "versionStartIncluding": "6.5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F892CBE-3BFF-49F6-9101-171C5A4C1503", "versionEndExcluding": "8.6.0.0", "versionStartIncluding": "8.4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D7E179A-F8E7-49E3-9049-FE8AD39EB0DF", "versionEndIncluding": "8.6.0.19", "versionStartIncluding": "8.6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3A8FE10-DA46-43BF-9713-A844CC935AD9", "versionEndIncluding": "8.9.0.0", "versionStartIncluding": "8.7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1F4CC3E-1DBE-405D-869D-21499960C11B", "versionEndIncluding": "8.10.0.4", "versionStartIncluding": "8.10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple authenticated command injection vulnerabilities\u00a0exist in the Aruba InstantOS and ArubaOS 10 command line\u00a0interface. Successful exploitation of these vulnerabilities\u00a0result in the ability to execute arbitrary commands as a\u00a0privileged user on the underlying operating system."}], "id": "CVE-2023-22790", "lastModified": "2023-05-12T16:03:22.980", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-alert@hpe.com", "type": "Secondary"}]}, "published": "2023-05-08T15:15:10.573", "references": [{"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}