Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface
CVE-2023-22790

8.8HIGH

Key Information:

Vendor
HP (HP)
Status
Aruba Access Points Running Instantos And Arubaos 10
Vendor
CVE Published:
8 May 2023

Summary

Multiple command injection vulnerabilities exist in the command line interface of Aruba InstantOS and ArubaOS 10. Exploiting these vulnerabilities allows attackers, who have already authenticated, to execute arbitrary commands with the privileges of a privileged user on the underlying operating system. This poses a significant risk to the integrity and confidentiality of the system, as malicious actors could gain unauthorized access to sensitive information and system controls.

Affected Version(s)

Aruba Access Points running InstantOS and ArubaOS 10 Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below

Aruba Access Points running InstantOS and ArubaOS 10 Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below

Aruba Access Points running InstantOS and ArubaOS 10 Aruba InstantOS 6.5.x: 6.5.4.23 and below

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Daniel Jensen (@dozernz)
.