Privilege Escalation in Aruba EdgeConnect Enterprise Orchestrator Management Interface
CVE-2022-44535

8.8HIGH

Key Information:

Vendor: HP
Status: Aruba Edgeconnect Enterprise Orchestration Software
Vendor: CVE Published:; 5 January 2023

Summary

A security flaw in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator enables authenticated low-privileged users to escalate their privileges to that of an administrative user. This privilege escalation could allow attackers to gain complete control over the system, potentially leading to severe misconfigurations or data exposure. The affected versions include Aruba EdgeConnect Enterprise Orchestrator 9.2.1.40179 and below, 9.1.4.40436 and below, 9.0.7.40110 and below, 8.10.23.40015 and below, and any earlier branches not explicitly listed.

Affected Version(s)

Aruba EdgeConnect Enterprise Orchestration Software Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 5, 2023
Vulnerability Reserved
Oct 31, 2022