CVE-2021-26685 — SQL Injection in Clearpass Policy Manager

CWE-89 — SQL Injection CWE-78 — OS Command Injection3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 58.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Arubanetworks Clearpass Policy Manager Hewlett Packard Enterprise Aruba Clearpass Policy Manager

Timeline

PublishedFeb 23

Latest updateMay 24

Description

A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1. A vulnerability in the web-based management interface API of ClearPass could allow an authenticated remote attacker to conduct SQL injection attacks against the ClearPass instance. An attacker could exploit this vulnerability to obtain and modify sensitive information in the underlying database.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:NExploitability: 1.2 | Impact: 5.2

Affected Packages2 packages

▶NVDarubanetworks/clearpass_policy_manager6.9.0 — 6.9.5+2

▶CVEListV5hewlett_packard_enterprise/aruba_clearpass_policy_managerPrior to 6.9.5, 6.8.8-HF1, 6.7.14-HF1

🔴Vulnerability Details

GHSA

GHSA-8649-q8g4-g5mg: A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6↗2022-05-24

▶

CVEList

CVE-2021-26685: A remote authenticated SQL Injection vulnerabilitiy was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6↗2021-02-23

▶