CVE-2023-37437

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-08-22 19:16

Updated : 2023-08-29 13:32

NVD link : CVE-2023-37437

Mitre link : CVE-2023-37437

CVE.ORG link : CVE-2023-37437

JSON object : View

Products Affected

arubanetworks

edgeconnect_sd-wan_orchestrator

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2023-37437", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "security-alert@hpe.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2023-08-22T19:16:38.640", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-alert@hpe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities in the web-based management\u00a0interface of EdgeConnect SD-WAN Orchestrator could allow\u00a0an authenticated remote attacker to conduct SQL injection\u00a0attacks against the EdgeConnect SD-WAN Orchestrator\u00a0instance. An attacker could exploit these vulnerabilities to\n\u00a0 \u00a0 obtain and modify sensitive information in the underlying\u00a0database potentially leading to the exposure and corruption\u00a0of sensitive data controlled by the EdgeConnect SD-WAN\u00a0Orchestrator host.\n\n"}], "lastModified": "2023-08-29T13:32:27.810", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1EB5B1A1-792C-4AA9-AB5D-99B14DB57E66", "versionEndExcluding": "9.3.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@hpe.com"}