Authenticated Path Traversal in ArubaOS Command Line Interface Allows for Arbitrary File Deletion

CVE-2023-35975

8.1HIGH

Key Information

Vendor: HP
Status: Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Vendor: CVE Published:; 5 July 2023

Summary

An authenticated path traversal vulnerability exists in the ArubaOS command line interface. Successful exploitation of this vulnerability results in the ability to delete arbitrary files in the underlying operating system.

Affected Version(s)

Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central <= - ArubaOS 10.4.x.x: 10.4.0.1 and below

Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central = - ArubaOS 10.4.x.x: 10.4.0.1 and below

Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central = - ArubaOS 8.11.x.x: 8.11.1.0 and below

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 5, 2023
Vulnerability Reserved.
Jun 20, 2023

Collectors

NVD DatabaseMitre Database

Credit

Erik de Jong (bugcrowd.com/erikdejong)