CVE-2023-22790 — Command Injection in HP Instantos

CWE-77 — Command Injection3 documents3 sources

Severity

8.8HIGHNVD

CNA7.2

EPSS

0.3%

top 47.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

HP Instantos Arubanetworks Arubaos Hewlett Packard Enterprise Aruba Access Points Running Instantos AND Arubaos 10

Timeline

PublishedMay 8

Latest updateJul 6

Description

Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface. Successful exploitation of these vulnerabilities result in the ability to execute arbitrary commands as a privileged user on the underlying operating system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5hewlett_packard_enterprise/aruba_access_points_running_instantos_and_arubaos_106 versions+5

▶NVDarubanetworks/arubaos10.3.0.0 — 10.3.1.0

▶NVDhp/instantos8.4.0.0 — 8.6.0.0+5

🔴Vulnerability Details

GHSA

GHSA-g5h4-mpxv-7964: Multiple authenticated command injection vulnerabilities exist in the Aruba InstantOS and ArubaOS 10 command line interface↗2023-07-06

▶

CVEList

Authenticated Remote Command Execution in Aruba InstantOS or ArubaOS 10 Command Line Interface↗2023-05-08

▶