CVE-2019-5318
https://notcve.org/view.php?id=CVE-2019-5318
A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba Operating System Software version(s): 6.x.x.x: all versions, 8.x.x.x: all versions prior to 8.8.0.0. Aruba has released patches for ArubaOS that address this security vulnerability. Se ha detectado una vulnerabilidad de tipo cross-site request forgery (csrf) en la(s) versión(es) de Aruba Operating System Software versiones: 6.x.x.x: todas las versiones, 8.x.x.x: todas las versiones anteriores a la 8.8.0.0. Aruba ha publicado parches para ArubaOS que solucionan esta vulnerabilidad de seguridad • https://cert-portal.siemens.com/productcert/pdf/ssa-280624.pdf https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2020-24637
https://notcve.org/view.php?id=CVE-2020-24637
Two vulnerabilities in ArubaOS GRUB2 implementation allows for an attacker to bypass secureboot. Successful exploitation of this vulnerability this could lead to remote compromise of system integrity by allowing an attacker to load an untrusted or modified kernel in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below ; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below. Dos vulnerabilidades en la implementación de ArubaOS GRUB2 permiten a un atacante omitir el arranque seguro. Una explotación con éxito de esta vulnerabilidad podría conllevar a un compromiso remoto de la integridad del sistema al permitir a un atacante cargar un kernel modificado o no confiable en Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers versiones: 2.1.0.1, 2.2.0.0 y anteriores; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 y por debajo; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 y por debajo • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04072en_us •
CVE-2020-24633
https://notcve.org/view.php?id=CVE-2020-24633
There are multiple buffer overflow vulnerabilities that could lead to unauthenticated remote code execution by sending especially crafted packets destined to the PAPI (Aruba Networks AP management protocol) UDP port (8211) of access-points or controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below. Se presentan múltiples vulnerabilidades de desbordamiento de búfer que podrían conllevar a una ejecución de código remota no autenticada mediante el envío de paquetes especialmente diseñados destinados al puerto UDP (8211) de PAPI (protocolo de administración Aruba Networks AP) de puntos de acceso o controladores en Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers versiones: 2.1.0.1, 2.2.0.0 y por debajo; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 y por debajo; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 y por debajo • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04072en_us • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2020-24634
https://notcve.org/view.php?id=CVE-2020-24634
An attacker is able to remotely inject arbitrary commands by sending especially crafted packets destined to the PAPI (Aruba Networks AP Management protocol) UDP port (8211) of access-pointsor controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below ; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below. Un atacante es capaz de inyectar remotamente comandos arbitrarios mediante el envío de paquetes especialmente diseñados destinados al puerto UDP (8211) de PAPI (protocolo de Aruba Networks AP Management) de puntos de acceso o controladores en Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers versiones: 2.1.0.1, 2.2.0.0 y por debajo; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 y por debajo; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 y por debajo • https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbnw04072en_us • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2019-5315
https://notcve.org/view.php?id=CVE-2019-5315
A command injection vulnerability is present in the web management interface of ArubaOS that permits an authenticated user to execute arbitrary commands on the underlying operating system. A malicious administrator could use this ability to install backdoors or change system configuration in a way that would not be logged. This vulnerability only affects ArubaOS 8.x. Una vulnerabilidad de inyección de comandos está presente en la interfaz de administración web de ArubaOS, lo que permite a un usuario autenticado ejecutar comandos arbitrarios sobre el sistema operativo subyacente. Un administrador malicioso podría utilizar esta capacidad para instalar puertas traseras (backdoors) o cambiar la configuración del sistema de una manera tal que no se registraría. • https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-004.txt • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •