Multi-Factor Authentication Bypass in Aruba EdgeConnect Enterprise Orchestrator
CVE-2022-43528

4.8MEDIUM

Key Information:

Vendor: HP
Status: Aruba Edgeconnect Enterprise Orchestration Software
Vendor: CVE Published:; 5 January 2023

Summary

Under specific configurations, an attacker may gain unauthorized access to the Aruba EdgeConnect Enterprise Orchestrator by circumventing the multi-factor authentication (MFA) mechanism. This allows for login using only a valid username and password. The vulnerability affects multiple versions of the Orchestrator, including both on-premises and as-a-service deployments, potentially placing sensitive data and network security at risk.

Affected Version(s)

Aruba EdgeConnect Enterprise Orchestration Software Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022...

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 5, 2023
Vulnerability Reserved
Oct 20, 2022