CVE-2023-37439

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator::::::::
	cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator::::::::
	cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:9.3.0:::::::*

History

No history.

Information

Published : 2023-08-22 19:16

Updated : 2023-08-29 15:12

NVD link : CVE-2023-37439

Mitre link : CVE-2023-37439

CVE.ORG link : CVE-2023-37439

JSON object : View

Products Affected

arubanetworks

edgeconnect_sd-wan_orchestrator

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-37439", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-alert@hpe.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2023-08-22T19:16:38.817", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-alert@hpe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Multiple vulnerabilities in the web-based management\u00a0interface of EdgeConnect SD-WAN Orchestrator could allow\u00a0an authenticated remote attacker to conduct SQL injection\u00a0attacks against the EdgeConnect SD-WAN Orchestrator\u00a0instance. An attacker could exploit these vulnerabilities to\n\u00a0 \u00a0 obtain and modify sensitive information in the underlying\u00a0database potentially leading to the exposure and corruption\u00a0of sensitive data controlled by the EdgeConnect SD-WAN\u00a0Orchestrator host.\n\n"}], "lastModified": "2023-08-29T15:12:00.960", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA5579FB-869B-4D42-8415-EFCB0B25563A", "versionEndExcluding": "9.1.8"}, {"criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "304A0BEF-1376-4390-810B-02DC1DAC8786", "versionEndExcluding": "9.2.6", "versionStartIncluding": "9.2.0"}, {"criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:9.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "141D0310-AE35-48FA-953A-1F2019370717"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@hpe.com"}