CVE-2018-7084

CWE-78OS Command Injection3 documents3 sources
Severity
9.8CRITICAL
EPSS
27.3%
top 3.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Arubanetworks Aruba InstantSiemens Scalance W1750d Firmware
Timeline
PublishedMay 10
Latest updateMay 24

Description

A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web interface to execute arbitrary system commands within the underlying operating system. An attacker could use this ability to copy files, read configuration, write files, delete files, or reboot the device. Workaround: Block access to the Aruba Instant web interface from all untrusted users. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.1

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDarubanetworks/aruba_instant4.04.2.4.12+3
CVEListV5aruba_instant_(iap)Aruba Instant 4.x prior to 6.4.4.8 - 4.2.4.12 Aruba Instant 6.5.x prior to 6.5.4.11 Aruba Instant 8.3.x prior to 8.3.0.6 Aruba Instant 8.4.x prior to 8.4.0.1

🔴Vulnerability Details

2
GHSA
GHSA-pxhj-rpvv-rcrx: A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web interface to execute arbitrary2022-05-24
CVEList
CVE-2018-7084: A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web interface to execute arbitrary2019-05-10
CVE-2018-7084 (CRITICAL CVSS 9.8) | A command injection vulnerability i | cvebase.io