CVE-2023-37424

EUVD-2023-41324

22.08.2023, 19:16

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated remote attacker to run arbitrary commands on the underlying host if certain preconditions outside of the attacker's control are met. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
hpe	CNA	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 87%

Affected Products (NVD)

Vendor	Product	Version
arubanetworks	edgeconnect_sd-wan_orchestrator	9.0.0 ≤ 𝑥 ≤ 9.0.5
arubanetworks	edgeconnect_sd-wan_orchestrator	9.1.0 ≤ 𝑥 ≤ 9.1.7
arubanetworks	edgeconnect_sd-wan_orchestrator	9.2.0 ≤ 𝑥 ≤ 9.2.5
arubanetworks	edgeconnect_sd-wan_orchestrator	9.3.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt