CVE-2024-41915
Authenticated SQL Injection Vulnerability in ClearPass Policy Manager Web-based Management Interface
Severity Score
7.2
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass Policy Manager instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database potentially leading to complete compromise of the ClearPass Policy Manager cluster.
*Credits:
security team at Cabridge University [CN2][GN3]
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-07-23 CVE Reserved
- 2024-07-30 CVE Published
- 2024-07-31 EPSS Updated
- 2024-08-02 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04675en_us&docLocale=en_US |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Hewlett Packard Enterprise (HPE) Search vendor "Hewlett Packard Enterprise (HPE)" | ClearPass Policy Manager (CPPM) Search vendor "Hewlett Packard Enterprise (HPE)" for product "ClearPass Policy Manager (CPPM)" | <= 6.12.1 Search vendor "Hewlett Packard Enterprise (HPE)" for product "ClearPass Policy Manager (CPPM)" and version " <= 6.12.1" | en |
Affected
| ||||||
| Hewlett Packard Enterprise (HPE) Search vendor "Hewlett Packard Enterprise (HPE)" | ClearPass Policy Manager (CPPM) Search vendor "Hewlett Packard Enterprise (HPE)" for product "ClearPass Policy Manager (CPPM)" | <= 6.11.8 Search vendor "Hewlett Packard Enterprise (HPE)" for product "ClearPass Policy Manager (CPPM)" and version " <= 6.11.8" | en |
Affected
| ||||||