CVE-2023-37436
published 2023-08-22CVE-2023-37436: Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL…
PriorityP337medium6.5CVSS 3.1
AVNACLPRHUINSUCHIHAN
EPSS
0.57%
42.8th percentile
Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to
obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | httpd | — | — |
| arubanetworks | edgeconnect_sd-wan_orchestrator | < 9.3.1 | 9.3.1 |
| hewlett_packard_enterprise | edgeconnect_sd-wan_orchestrator | Orchestrator 9.1.x – <=9.1.* | — |
| hewlett_packard_enterprise | edgeconnect_sd-wan_orchestrator | Orchestrator 9.2.x – <=9.2.* | — |
| hewlett_packard_enterprise | edgeconnect_sd-wan_orchestrator | Orchestrator 9.3.x – <=9.3.0 | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
vendor_apache5.3
vendor_oracle5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x9p8-pp8w-6q2g: Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to cond
ghsa_unreviewed·2023-08-22
CVE-2023-37436 [MEDIUM] CWE-89 GHSA-x9p8-pp8w-6q2g: Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to cond
Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct SQL injection attacks against the EdgeConnect SD-WAN Orchestrator instance. An attacker could exploit these vulnerabilities to
obtain and modify sensitive information in the underlying database potentially leading to the exposure and corruption of sensitive data controlled by the EdgeConnect SD-WAN Orchestrator host.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (Apache HTTP Server) — CVE-2022-37436
vendor_oracle·2023-10-15·CVSS 5.3
CVE-2022-37436 [MEDIUM] Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (Apache HTTP Server) — CVE-2022-37436
Oracle Oracle Fusion Middleware Risk Matrix: SSL Module (Apache HTTP Server) vulnerability
CVE: CVE-2022-37436
CVSS: 5.3
Protocol: HTTPS
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2023 (OCT 2023)
Apache
Apache httpd: CVE-2022-37436
vendor_apache·CVSS 5.3
CVE-2022-37436 Apache httpd: CVE-2022-37436
Apache httpd: CVE-2022-37436
Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Acknowledgements: finder: Dimas Fariski Setyawan Putra (@nyxsorcerer) Reported to security team 2022-07-14 Update 2.4.55 released 2023-01-17 Affects before 2.4.55
Severity: moderate
Affected versions: 2.4.55
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2023-08-22
Published