Server-side Prototype Pollution Vulnerability Could Lead to System Compromise
CVE-2024-22443

8.8HIGH

Key Information:

Vendor: HP
Status: HP Aruba Networking Edgeconnect Sd-wan Orchestrator
Vendor: CVE Published:; 24 July 2024

Summary

A vulnerability exists in the web-based management interface of the EdgeConnect SD-WAN Orchestrator, enabling authenticated remote attackers to carry out server-side prototype pollution attacks. Exploiting this flaw can lead to arbitrary command execution on the underlying operating system, potentially resulting in complete system takeover. Organizations using the affected product are urged to assess their exposure and implement necessary security measures to protect their systems.

Affected Version(s)

HPE Aruba Networking EdgeConnect SD-WAN Orchestrator EdgeConnect SD-WAN Orchestrator 9.4.x: Orchestrator 9.4.1 (all builds) and below

HPE Aruba Networking EdgeConnect SD-WAN Orchestrator EdgeConnect SD-WAN Orchestrator 9.3.x: Orchestrator 9.3.2 (all builds) and below

HPE Aruba Networking EdgeConnect SD-WAN Orchestrator EdgeConnect SD-WAN Orchestrator 9.2.x: Orchestrator 9.2.9 (all builds) and below

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpe...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 24, 2024
Vulnerability Reserved
Jan 10, 2024

Credit

Daniel Jensen (@dozernz)