Skip to main content

Clearpass CVE-2021-29147

HIGH
OS Command Injection (CWE-78)
2021-04-29 security-alert@hpe.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Apr 29, 2021 - 12:15 nvd
HIGH 8.8

DescriptionNVD

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability.

AnalysisAI

A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as OS Command Injection (CWE-78), which allows attackers to execute arbitrary operating system commands on the host. A remote arbitrary command execution vulnerability was discovered in Aruba ClearPass Policy Manager version(s) prior to 6.9.5, 6.8.9, 6.7.14-HF1. Aruba has released patches for Aruba ClearPass Policy Manager that address this security vulnerability. Affected products include: Arubanetworks Clearpass. Version information: prior to 6.9.5.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Avoid passing user input to shell commands. Use language-specific APIs instead of shell execution. Apply strict input validation with allowlists.

CVE-2014-6626 CRITICAL
10.0 Nov 19

Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 does not properly restrict access to unspecified administra

CVE-2014-5342 CRITICAL
10.0 Nov 19

Aruba Networks ClearPass before 6.3.5 and 6.4.x before 6.4.1 allows remote attackers to execute arbitrary commands via u

CVE-2016-2034 CRITICAL
9.8 Jun 08

SQL injection vulnerability in ClearPass Policy Manager 6.5.x through 6.5.6 and 6.6.0. Rated critical severity (CVSS 9.8

CVE-2021-29145 CRITICAL
9.8 Apr 29

A remote server side request forgery (SSRF) remote code execution vulnerability was discovered in Aruba ClearPass Policy

CVE-2020-7114 CRITICAL
9.8 Apr 16

A vulnerability exists allowing attackers, when present in the same network segment as ClearPass' management interface,

CVE-2014-6627 CRITICAL
9.0 Nov 19

Aruba Networks ClearPass before 6.3.5 and 6.4.x before 6.4.1 allows remote attackers to execute arbitrary commands via u

CVE-2014-6625 CRITICAL
9.0 Nov 19

The Policy Manager in Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 allows remote authenticated users to

CVE-2015-3655 HIGH
8.8 Aug 29

Cross-site request forgery (CSRF) vulnerability in Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before

CVE-2018-7060 HIGH
8.8 Aug 06

Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users.

CVE-2021-29140 HIGH
8.2 Apr 29

A remote XML external entity (XXE) vulnerability was discovered in Aruba ClearPass Policy Manager version(s): Prior to 6

CVE-2015-4649 HIGH
7.2 Aug 29

Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators t

CVE-2015-3654 HIGH
7.2 Aug 29

Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated administrators t

Share

CVE-2021-29147 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy