CVE-2023-43508

Vulnerabilities in the web-based management interface of ClearPass Policy Manager allow an attacker with read-only privileges to perform actions that change the state of the ClearPass Policy Manager instance. Successful exploitation of these vulnerabilities allow an attacker to complete state-changing actions in the web-based management interface that should not be allowed by their current level of authorization on the platform.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:arubanetworks:clearpass_policy_manager::::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager::::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager::::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.13:-::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.13:cumulative_hotfix_patch_2::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.13:cumulative_hotfix_patch_3::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.8:-::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.8:cumulative_hotfix_patch_2::::::
	cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.8:cumulative_hotfix_patch_5::::::

History

No history.

Information

Published : 2023-10-25 18:17

Updated : 2023-11-01 16:21

NVD link : CVE-2023-43508

Mitre link : CVE-2023-43508

CVE.ORG link : CVE-2023-43508

JSON object : View

Products Affected

arubanetworks

clearpass_policy_manager

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2023-43508", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-alert@hpe.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2023-10-25T18:17:31.990", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt", "tags": ["Vendor Advisory"], "source": "security-alert@hpe.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Vulnerabilities in the web-based management interface of\u00a0ClearPass Policy Manager allow an attacker with read-only\u00a0privileges to perform actions that change the state of the\u00a0ClearPass Policy Manager instance. Successful exploitation\u00a0of these vulnerabilities allow an attacker to complete\u00a0state-changing actions in the web-based management interface\u00a0that should not be allowed by their current level of\u00a0authorization on the platform."}, {"lang": "es", "value": "Las vulnerabilidades en la interfaz de administraci\u00f3n basada en web de ClearPass Policy Manager permiten que un atacante con privilegios de solo lectura realice acciones que cambien el estado de la instancia de ClearPass Policy Manager. La explotaci\u00f3n exitosa de estas vulnerabilidades permite a un atacante completar acciones de cambio del estado en la interfaz de administraci\u00f3n basada en web que no deber\u00edan estar permitidas por su nivel actual de autorizaci\u00f3n en la plataforma."}], "lastModified": "2023-11-01T16:21:53.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "124117E4-FE27-43AB-B5F5-B4EFCA767430", "versionEndExcluding": "6.9.13"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "84F5E56D-039C-47B0-827A-AFE34887DAD2", "versionEndExcluding": "6.10.8", "versionStartIncluding": "6.10.0"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "349AD8EE-ECFF-469B-80E6-0ABFDEF55A2C", "versionEndIncluding": "6.11.4", "versionStartIncluding": "6.11.0"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.13:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "57C5BF92-A455-44E4-AE20-F9A1D790422D"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.13:cumulative_hotfix_patch_2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7962FD34-6A38-461A-8942-BCA227AF8AF9"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.9.13:cumulative_hotfix_patch_3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "435A3CE6-AB76-4F4F-B11F-71E0C7619A9A"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.8:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1DB2448F-D014-4672-90A9-3BCC91096B93"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.8:cumulative_hotfix_patch_2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80F47102-7F9F-449F-91A1-76372AA7F3D4"}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass_policy_manager:6.10.8:cumulative_hotfix_patch_5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F85708F3-CA05-472A-9B51-373D1AD14E9C"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@hpe.com"}