OpenCVE

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Arubanetworks	Edgeconnect Sd-wan Orchestrator

Configuration 1 [-]

OR	cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator::::::::
	cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator::::::::
	cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:9.3.0:::::::*

No data.

References

Link	Providers
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt

History

Tue, 29 Oct 2024 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-922

Wed, 02 Oct 2024 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: hpe

Published: 2023-08-22T18:09:38.208Z

Updated: 2024-10-29T19:16:16.550Z

Reserved: 2023-07-05T17:36:47.999Z

Link: CVE-2023-37439

Vulnrichment

Updated: 2024-08-02T17:16:29.530Z

NVD

Status : Modified

Published: 2023-08-22T19:16:38.817

Modified: 2024-11-21T08:11:42.827

Link: CVE-2023-37439

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-37439", "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "state": "PUBLISHED", "assignerShortName": "hpe", "dateReserved": "2023-07-05T17:36:47.999Z", "datePublished": "2023-08-22T18:09:38.208Z", "dateUpdated": "2024-10-29T19:16:16.550Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "EdgeConnect SD-WAN Orchestrator", "vendor": "Hewlett Packard Enterprise (HPE)", "versions": [{"lessThanOrEqual": "<=9.3.0", "status": "affected", "version": "Orchestrator 9.3.x", "versionType": "semver"}, {"lessThanOrEqual": "<=9.2.5", "status": "affected", "version": "Orchestrator 9.2.x", "versionType": "semver"}, {"lessThanOrEqual": "<=9.1.7", "status": "affected", "version": "Orchestrator 9.1.x", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Jensen (@dozernz)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to<br>    obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.<br><br>"}], "value": "Multiple vulnerabilities in the web-based management\u00a0interface of EdgeConnect SD-WAN Orchestrator could allow\u00a0an authenticated remote attacker to conduct SQL injection\u00a0attacks against the EdgeConnect SD-WAN Orchestrator\u00a0instance. An attacker could exploit these vulnerabilities to\n\u00a0 \u00a0 obtain and modify sensitive information in the underlying\u00a0database potentially leading to the exposure and corruption\u00a0of sensitive data controlled by the EdgeConnect SD-WAN\u00a0Orchestrator host.\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "providerMetadata": {"orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe", "dateUpdated": "2023-08-22T18:09:38.208Z"}, "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt"}], "source": {"discovery": "UNKNOWN"}, "title": "Reflected Cross Site Scripting in EdgeConnect SD-WAN Orchestrator Web Management Interface", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:29.530Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-922", "lang": "en", "description": "CWE-922 Insecure Storage of Sensitive Information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-02T15:02:24.461658Z", "id": "CVE-2023-37439", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-29T19:16:16.550Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:16:29.530Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-37439", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-02T15:02:24.461658Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-922", "description": "CWE-922 Insecure Storage of Sensitive Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-02T15:13:16.434Z"}}], "cna": {"title": "Reflected Cross Site Scripting in EdgeConnect SD-WAN Orchestrator Web Management Interface", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Daniel Jensen (@dozernz)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Hewlett Packard Enterprise (HPE)", "product": "EdgeConnect SD-WAN Orchestrator", "versions": [{"status": "affected", "version": "Orchestrator 9.3.x", "versionType": "semver", "lessThanOrEqual": "<=9.3.0"}, {"status": "affected", "version": "Orchestrator 9.2.x", "versionType": "semver", "lessThanOrEqual": "<=9.2.5"}, {"status": "affected", "version": "Orchestrator 9.1.x", "versionType": "semver", "lessThanOrEqual": "<=9.1.7"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities in the web-based management\u00a0interface of EdgeConnect SD-WAN Orchestrator could allow\u00a0an authenticated remote attacker to conduct SQL injection\u00a0attacks against the EdgeConnect SD-WAN Orchestrator\u00a0instance. An attacker could exploit these vulnerabilities to\n\u00a0 \u00a0 obtain and modify sensitive information in the underlying\u00a0database potentially leading to the exposure and corruption\u00a0of sensitive data controlled by the EdgeConnect SD-WAN\u00a0Orchestrator host.\n\n", "supportingMedia": [{"type": "text/html", "value": "Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to<br>    obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.<br><br>", "base64": false}]}], "providerMetadata": {"orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe", "dateUpdated": "2023-08-22T18:09:38.208Z"}}}, "cveMetadata": {"cveId": "CVE-2023-37439", "state": "PUBLISHED", "dateUpdated": "2024-10-29T19:16:16.550Z", "dateReserved": "2023-07-05T17:36:47.999Z", "assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "datePublished": "2023-08-22T18:09:38.208Z", "assignerShortName": "hpe"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA5579FB-869B-4D42-8415-EFCB0B25563A", "versionEndExcluding": "9.1.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "304A0BEF-1376-4390-810B-02DC1DAC8786", "versionEndExcluding": "9.2.6", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:9.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "141D0310-AE35-48FA-953A-1F2019370717", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities in the web-based management\u00a0interface of EdgeConnect SD-WAN Orchestrator could allow\u00a0an authenticated remote attacker to conduct SQL injection\u00a0attacks against the EdgeConnect SD-WAN Orchestrator\u00a0instance. An attacker could exploit these vulnerabilities to\n\u00a0 \u00a0 obtain and modify sensitive information in the underlying\u00a0database potentially leading to the exposure and corruption\u00a0of sensitive data controlled by the EdgeConnect SD-WAN\u00a0Orchestrator host.\n\n"}], "id": "CVE-2023-37439", "lastModified": "2024-11-21T08:11:42.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-alert@hpe.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-22T19:16:38.817", "references": [{"source": "security-alert@hpe.com", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Vendor Advisory"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-922"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}