CVE-2018-7065 — SQL Injection in Clearpass Policy Manager

CWE-89 — SQL Injection3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.3%

top 46.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Clearpass Policy Manager Hewlett Packard Enterprise Aruba Clearpass Policy Manager

Timeline

PublishedDec 7

Latest updateMay 14

Description

An authenticated SQL injection vulnerability in Aruba ClearPass Policy Manager can lead to privilege escalation. All versions of ClearPass are affected by multiple authenticated SQL injection vulnerabilities. In each case, an authenticated administrative user of any type could exploit this vulnerability to gain access to "appadmin" credentials, leading to complete cluster compromise. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDarubanetworks/clearpass_policy_manager6.7.0 — 6.7.6+1

▶CVEListV5hewlett_packard_enterprise/aruba_clearpass_policy_managerAll versions of ClearPass prior to 6.7.6, ClearPass 6.6.10 and earlier without hotfix applied

🔴Vulnerability Details

GHSA

GHSA-p87p-59p8-545p: An authenticated SQL injection vulnerability in Aruba ClearPass Policy Manager can lead to privilege escalation↗2022-05-14

▶

CVEList

CVE-2018-7065: An authenticated SQL injection vulnerability in Aruba ClearPass Policy Manager can lead to privilege escalation↗2018-12-07

▶