CVE-2018-7079 — Incorrect Authorization in Clearpass Policy Manager

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

7.2HIGHNVD

EPSS

0.3%

top 43.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Clearpass Policy Manager Hewlett Packard Enterprise Aruba Clearpass Policy Manager

Timeline

PublishedDec 7

Latest updateMay 13

Description

Aruba ClearPass Policy Manager guest authorization failure. Certain administrative operations in ClearPass Guest do not properly enforce authorization rules, which allows any authenticated administrative user to execute those operations regardless of privilege level. This could allow low-privilege users to view, modify, or delete guest users. Resolution: Fixed in 6.7.6 and 6.6.10-hotfix.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDarubanetworks/clearpass_policy_manager6.7.0 — 6.7.6+1

▶CVEListV5hewlett_packard_enterprise/aruba_clearpass_policy_managerClearPass 6.7.x prior to 6.7.6, ClearPass 6.6.10 and earlier without hotfix applied

🔴Vulnerability Details

GHSA

GHSA-9m3x-jcp9-v9rq: Aruba ClearPass Policy Manager guest authorization failure↗2022-05-13

▶

CVEList

CVE-2018-7079: Aruba ClearPass Policy Manager guest authorization failure↗2018-12-07

▶