Remote Host Header Injection in HPE Integrated Lights-Out 4 Firmware
CVE-2022-23701

5.3MEDIUM

Key Information:

Vendor: HP
Status: HP Integrated Lights-out 4 (ilo 4)
Vendor: CVE Published:; 24 February 2022

Summary

A significant security vulnerability exists in the HPE Integrated Lights-Out 4 (iLO 4) firmware allowing for potential remote host header injection. Attackers could exploit this flaw by sending malicious input to the iLO 4 webserver, which may inadvertently lead to an unauthorized redirect to a domain controlled by the attacker. HPE has addressed this issue with a firmware update, and users are strongly advised to upgrade to at least version 2.60 to mitigate the risks associated with this vulnerability.

Affected Version(s)

HPE Integrated Lights-Out 4 (iLO 4) Prior to 2.60

References

https://support.hpe.com/hpsc/doc/public/display?docLocale...

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 24, 2022
Vulnerability Reserved
Jan 19, 2022