Authenticated SQL Injection Vulnerability in ClearPass Policy Manager Web-based Management Interface
CVE-2023-43507

7.2HIGH

Key Information:

Vendor: HP
Status: Aruba Clearpass Policy Manager
Vendor: CVE Published:; 25 October 2023

Summary

A vulnerability within the web-based management interface of ClearPass Policy Manager allows authenticated remote attackers to perform SQL injection attacks. By exploiting this flaw, attackers can gain unauthorized access to sensitive data stored in the underlying database, potentially leading to a full compromise of the ClearPass Policy Manager cluster. Vigilant security measures should be implemented to protect against such exploits to ensure the integrity and confidentiality of sensitive information.

Affected Version(s)

Aruba ClearPass Policy Manager ClearPass Policy Manager 6.11.x: 6.11.4 and below

Aruba ClearPass Policy Manager ClearPass Policy Manager 6.10.x: 6.10.8 with ClearPass 6.10.8 Cumulative Hotfix Patch 5 and below

Aruba ClearPass Policy Manager ClearPass Policy Manager 6.9.x: 6.9.13 with ClearPass 6.9.13 Cumulative Hotfix Patch 3 and below

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 25, 2023
Vulnerability Reserved
Sep 19, 2023

Credit

Luke Young (bugcrowd.com/bored_engineer)