HP firm Aruba Networks has shipped patches masking 14 vulnerabilities in its ClearPath Coverage Supervisor software program.
Thehave an effect on patch variations 6.10.6 and under within the 6.10.x sequence, and 6.9.11 and under within the 6.9.x sequence.
5 of the vulnerabilities are within the class of authenticated SQL injection bugs within the product’s Net-based administration interface.
CVE-2022-23692, CVE-2022-23693, CVE-2022-23694, CVE-2022-23695, and CVE-2022-23696 would permit an authenticated distant attacker to “acquire and modify delicate data within the underlying database”, the advisory said, “doubtlessly main to finish compromise of the ClearPass Coverage Supervisor cluster”.
These vulnerabilities are rated excessive severity and have been reported to the corporate’s bug bounty by Luke Younger, working with Daniel Jensen.
Additionally excessive severity is CVE-2022-23685, which exposes endpoints to a scarcity of cross-site request forgery (CSRF) safety.
A distant, unauthenticated attacker to execute enter towards the endpoints, “if the attacker can persuade an authenticated consumer of the interface” to click on on a crafted URL.
The ClearPass OnGuard company for macOS is topic to CVE-2022-37877, a privilege escalation permitting customers on a macOS occasion to execute arbitrary code as root.
It was additionally the work of Luke Younger and is rated excessive.
Daniel Jensen had a hand in a set of six high-rated distant command injection bugs within the internet administration interface: CVE-2022-37878, CVE-2022-37879, CVE-2022-37880, CVE-2022-37881, CVE-2022-37882, and CVE-2022-37883.
Distant authenticated customers can run instructions on the underlying host as root, resulting in “full system compromise”.
He additionally reported a medium rated denial-of-service situation, CVE-2022-37884.
On the time of writing, no additional data on the vulnerabilities had been made public.
The bugs are mounted in ClearPass Coverage Supervisor 6.10.7 and above, and 6.9.12 and above.
The corporate additionally recommends the CLI and Net-based administration interface are restricted to devoted layer 2 segments, VLANs, or firewalls.