CVE-2023-43507
Authenticated SQL Injection Vulnerability in ClearPass Policy Manager Web-based Management Interface
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Attend
*SSVC
Descriptions
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster.
Una vulnerabilidad en la interfaz de administración basada en web de ClearPass Policy Manager podría permitir que un atacante remoto autenticado realice ataques de inyección SQL contra la instancia de ClearPass Policy Manager. Un atacante podría aprovechar esta vulnerabilidad para obtener y modificar información confidencial en la base de datos subyacente, lo que podría comprometer por completo el clúster de ClearPass Policy Manager.
*Credits:
Luke Young (bugcrowd.com/bored_engineer)
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Attend
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-09-19 CVE Reserved
- 2023-10-24 CVE Published
- 2024-09-11 CVE Updated
- 2024-10-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt | 2023-11-01 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | < 6.9.13 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version " < 6.9.13" | - |
Affected
| ||||||
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | >= 6.10.0 < 6.10.8 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version " >= 6.10.0 < 6.10.8" | - |
Affected
| ||||||
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | >= 6.11.0 <= 6.11.4 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version " >= 6.11.0 <= 6.11.4" | - |
Affected
| ||||||
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | 6.9.13 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version "6.9.13" | - |
Affected
| ||||||
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | 6.9.13 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version "6.9.13" | cumulative_hotfix_patch_2 |
Affected
| ||||||
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | 6.9.13 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version "6.9.13" | cumulative_hotfix_patch_3 |
Affected
| ||||||
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | 6.10.8 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version "6.10.8" | - |
Affected
| ||||||
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | 6.10.8 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version "6.10.8" | cumulative_hotfix_patch_2 |
Affected
| ||||||
| Arubanetworks Search vendor "Arubanetworks" | Clearpass Policy Manager Search vendor "Arubanetworks" for product "Clearpass Policy Manager" | 6.10.8 Search vendor "Arubanetworks" for product "Clearpass Policy Manager" and version "6.10.8" | cumulative_hotfix_patch_5 |
Affected
| ||||||