Lucene search

K
cveHpeCVE-2022-43529
HistoryJan 05, 2023 - 7:15 a.m.

CVE-2022-43529

2023-01-0507:15:12
CWE-384
hpe
web.nvd.nist.gov
27
aruba
edgeconnect
enterprise orchestrator
vulnerability
session
password reset
nvd
cve-2022-43529

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

35.7%

A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

Affected configurations

Nvd
Node
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange8.10.23.40015on-premises
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.0.09.0.7.40110on-premises
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.1.09.1.4.40436on-premises
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.2.09.2.1.40179on-premises
Node
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange8.10.23.40015as-a-service
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.0.09.0.7.40110as-a-service
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.1.09.1.4.40436as-a-service
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.2.09.2.1.40179as-a-service
Node
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange8.10.23.40015global_enterprise_tenant_orchestrators
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.0.09.0.7.40110global_enterprise_tenant_orchestrators
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.1.09.1.4.40436global_enterprise_tenant_orchestrators
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.2.09.2.1.40179global_enterprise_tenant_orchestrators
Node
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange8.10.23.40015sp
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.0.09.0.7.40110sp
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.1.09.1.4.40436sp
OR
arubanetworksaruba_edgeconnect_enterprise_orchestratorRange9.2.09.2.1.40179sp
VendorProductVersionCPE
arubanetworksaruba_edgeconnect_enterprise_orchestrator*cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:on-premises:*:*:*
arubanetworksaruba_edgeconnect_enterprise_orchestrator*cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:as-a-service:*:*:*
arubanetworksaruba_edgeconnect_enterprise_orchestrator*cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:global_enterprise_tenant_orchestrators:*:*:*
arubanetworksaruba_edgeconnect_enterprise_orchestrator*cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:sp:*:*:*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Aruba EdgeConnect Enterprise Orchestration Software",
    "vendor": "Hewlett Packard Enterprise (HPE)",
    "versions": [
      {
        "status": "affected",
        "version": "Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned."
      }
    ]
  }
]

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

AI Score

5.5

Confidence

High

EPSS

0.001

Percentile

35.7%

Related for CVE-2022-43529