CVE-2022-37908 — Download of Code Without Integrity Check in Arubaos

CWE-494 — Download of Code Without Integrity Check3 documents3 sources

Severity

6.5MEDIUMNVD

CNA5.8

EPSS

0.1%

top 74.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

2

Arubanetworks Arubaos Arubanetworks Sd-wan

Timeline

PublishedDec 12

Description

An authenticated attacker can impact the integrity of the ArubaOS bootloader on 7xxx series controllers. Successful exploitation can compromise the hardware chain of trust on the impacted controller.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶NVDarubanetworks/arubaos6.5.4.0 — 6.5.4.22+3

▶NVDarubanetworks/sd-wan8.7.0.0-2.3.0.0 — 8.7.0.0-2.3.0.6

🔴Vulnerability Details

2

GHSA

GHSA-3x8r-xvj6-wr9x: An authenticated attacker can impact the integrity of the ArubaOS bootloader on 7xxx series controllers↗2022-12-12

▶

CVEList

CVE-2022-37908: An authenticated attacker can impact the integrity of the ArubaOS bootloader on 7xxx series controllers↗2022-11-03

▶

CVE-2022-37908 — Arubanetworks Arubaos vulnerability | cvebase