CVE-2020-24634Command Injection in Arubaos

CWE-77Command Injection3 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 46.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Arubanetworks ArubaosArubanetworks Sd-wan
Timeline
PublishedDec 11
Latest updateMay 24

Description

An attacker is able to remotely inject arbitrary commands by sending especially crafted packets destined to the PAPI (Aruba Networks AP Management protocol) UDP port (8211) of access-pointsor controllers in Aruba 9000 Gateway; Aruba 7000 Series Mobility Controllers; Aruba 7200 Series Mobility Controllers version(s): 2.1.0.1, 2.2.0.0 and below; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below ; 6.4.4.23, 6.5.4.17, 8.2.2.9, 8.3.0.13, 8.5.0.10, 8.6.0.5, 8.7.0.0 and below.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDarubanetworks/sd-wan2.2.0.02.2.0.1+1
NVDarubanetworks/arubaos8.3.0.08.3.0.14+4

🔴Vulnerability Details

2
GHSA
GHSA-5v7p-whcg-3j32: An attacker is able to remotely inject arbitrary commands by sending especially crafted packets destined to the PAPI (Aruba Networks AP Management pro2022-05-24
CVEList
CVE-2020-24634: An attacker is able to remotely inject arbitrary commands by sending especially crafted packets destined to the PAPI (Aruba Networks AP Management pro2020-12-11
CVE-2020-24634 — Command Injection in Arubaos | cvebase