CVE-2023-37424

A vulnerability in the web-based management interfaceof EdgeConnect SD-WAN Orchestrator could allow anunauthenticated remote attacker to run arbitrary commands onthe underlying host if certain preconditions outside of theattacker's control are met. Successful exploitation of thisvulnerability could allow an attacker to execute arbitrarycommands on the underlying operating system leading tocomplete system compromise.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
hpeCNA
8.1 HIGH
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 82%
VendorProductVersion
arubanetworksedgeconnect_sd-wan_orchestrator
9.0.0 ≤
𝑥
≤ 9.0.5
arubanetworksedgeconnect_sd-wan_orchestrator
9.1.0 ≤
𝑥
≤ 9.1.7
arubanetworksedgeconnect_sd-wan_orchestrator
9.2.0 ≤
𝑥
≤ 9.2.5
arubanetworksedgeconnect_sd-wan_orchestrator
9.3.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-012.txt