CVE-2020-7116 — Improper Input Validation in Clearpass Policy Manager

CWE-20 — Improper Input Validation3 documents3 sources

Severity

7.2HIGHNVD

EPSS

1.4%

top 19.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Clearpass Policy Manager

Timeline

PublishedJun 3

Latest updateMay 24

Description

The ClearPass Policy Manager WebUI administrative interface has an authenticated command remote execution. When the attacker is already authenticated to the administrative interface, they could then exploit the system, leading to remote command execution in the underlying operating system. Resolution: Fixed in 6.7.13-HF, 6.8.5-HF, 6.8.6, 6.9.1 and higher.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages2 packages

▶NVDarubanetworks/clearpass_policy_manager6.8.0 — 6.8.6+2

▶CVEListV5arubanetworks/clearpass_policy_managerClearPass 6.9.x prior to 6.9.1 ClearPass 6.8.x prior to 6.8.5-HF ClearPass 6.7.x prior to 6.7.13-HF

🔴Vulnerability Details

GHSA

GHSA-2wxp-29q4-hwg3: The ClearPass Policy Manager WebUI administrative interface has an authenticated command remote execution↗2022-05-24

▶

CVEList

CVE-2020-7116: The ClearPass Policy Manager WebUI administrative interface has an authenticated command remote execution↗2020-06-03

▶