CVE-2018-7067 — Improper Authentication in Clearpass Policy Manager

CWE-287 — Improper Authentication3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.6%

top 29.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Clearpass Policy Manager Hewlett Packard Enterprise Aruba Clearpass Policy Manager

Timeline

PublishedDec 7

Latest updateMay 14

Description

A Remote Authentication bypass in Aruba ClearPass Policy Manager leads to complete cluster compromise. An authentication flaw in all versions of ClearPass could allow an attacker to compromise the entire cluster through a specially crafted API call. Network access to the administrative web interface is required to exploit this vulnerability. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDarubanetworks/clearpass_policy_manager6.7.0 — 6.7.6+1

▶CVEListV5hewlett_packard_enterprise/aruba_clearpass_policy_managerAll versions of ClearPass prior to 6.7.6, ClearPass 6.6.10 and earlier without hotfix applied

🔴Vulnerability Details

GHSA

GHSA-w7p2-f9vj-jjvv: A Remote Authentication bypass in Aruba ClearPass Policy Manager leads to complete cluster compromise↗2022-05-14

▶

CVEList

CVE-2018-7067: A Remote Authentication bypass in Aruba ClearPass Policy Manager leads to complete cluster compromise↗2018-12-07

▶