Authorization Bypass Leading to Privilege Escalation in ClearPass Policy Manager Web-Based Management Interface
CVE-2023-25594

8.8HIGH

Key Information:

Vendor: HP
Status: Aruba ClearPass Policy Manager
Vendor: CVE Published:; 22 March 2023

Summary

A security flaw exists in the web-based management interface of ClearPass Policy Manager from Aruba Networks, enabling an attacker with only read-only privileges to perform state-altering actions. This vulnerability compromises the integrity of access controls, allowing unauthorized users to manipulate the instance's state, which poses significant risks to the system’s overall security.

Affected Version(s)

Aruba ClearPass Policy Manager 6.11.1 and below

Aruba ClearPass Policy Manager 6.10.8 and below

Aruba ClearPass Policy Manager 6.9.13 and below

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 22, 2023
Vulnerability Reserved
Feb 7, 2023

Credit

State Bank of India and ING Bank N.V.