CVE-2022-43520

CVSS V2 None CVSS V3 None

Description

Multiple vulnerabilities in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the Aruba EdgeConnect Enterprise Orchestrator instance. An attacker could exploit these vulnerabilities to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

Overview

CVE ID
CVE-2022-43520

Assigner
security-alert@hpe.com

Vulnerability Status
Analyzed

Published Version
2023-01-05T07:15:10

Last Modified Date
2023-01-11T15:51:24

Weakness Enumerations

CWE	URL
CWE-89	http://cwe.mitre.org/data/definitions/89.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version Start	Version End
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::on-premises:::*	1	OR		8.10.23.40015
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::on-premises:::*	1	OR	9.0.0	9.0.7.40110
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::on-premises:::*	1	OR	9.1.0	9.1.4.40436
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::on-premises:::*	1	OR	9.2.0	9.2.1.40179
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::as-a-service:::*	1	OR		8.10.23.40015
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::as-a-service:::*	1	OR	9.0.0	9.0.7.40110
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::as-a-service:::*	1	OR	9.1.0	9.1.4.40436
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::as-a-service:::*	1	OR	9.2.0	9.2.1.40179
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::global_enterprise_tenant_orchestrators:::*	1	OR		8.10.23.40015
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::global_enterprise_tenant_orchestrators:::*	1	OR	9.0.0	9.0.7.40110
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::global_enterprise_tenant_orchestrators:::*	1	OR	9.1.0	9.1.4.40436
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::global_enterprise_tenant_orchestrators:::*	1	OR	9.2.0	9.2.1.40179
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::sp:::*	1	OR		8.10.23.40015
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::sp:::*	1	OR	9.0.0	9.0.7.40110
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::sp:::*	1	OR	9.1.0	9.1.4.40436
cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:::::sp:::*	1	OR	9.2.0	9.2.1.40179

References

Reference URL	Reference Tags
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-021.txt

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2022-43520
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43520

History

Created	Old Value	New Value	Data Type	Notes
2023-01-05 07:16:24				Added to TrackCVE
2023-01-05 14:15:37		2023-01-05T14:01:41	CVE Modified Date	updated
2023-01-05 14:15:37	Received	Awaiting Analysis	Vulnerability Status	updated
2023-01-09 19:18:18	Awaiting Analysis	Undergoing Analysis	Vulnerability Status	updated
2023-01-12 05:15:39		2023-01-11T15:51:24	CVE Modified Date	updated
2023-01-12 05:15:39	Undergoing Analysis	Analyzed	Vulnerability Status	updated
2023-01-12 05:15:39			Weakness Enumeration	new
2023-01-12 05:15:42			CPE Information	updated