Aos Cx
CVE-2022-23679
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
AOS-CX lacks Anti-CSRF protections in place for state-changing operations. This can potentially be exploited by an attacker to execute commands in the context of another user in ArubaOS-CX Switches version(s): AOS-CX 10.10.xxxx: 10.10.0002 and below, AOS-CX 10.09.xxxx: 10.09.1020 and below, AOS-CX 10.08.xxxx: 10.08.1060 and below, AOS-CX 10.06.xxxx: 10.06.0200 and below. Aruba has released upgrades for ArubaOS-CX Switch Devices that address this security vulnerability.
AnalysisAI
AOS-CX lacks Anti-CSRF protections in place for state-changing operations. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Request Forgery (CSRF) (CWE-352), which allows attackers to trick authenticated users into performing unintended actions. AOS-CX lacks Anti-CSRF protections in place for state-changing operations. This can potentially be exploited by an attacker to execute commands in the context of another user in ArubaOS-CX Switches version(s): AOS-CX 10.10.xxxx: 10.10.0002 and below, AOS-CX 10.09.xxxx: 10.09.1020 and below, AOS-CX 10.08.xxxx: 10.08.1060 and below, AOS-CX 10.06.xxxx: 10.06.0200 and below. Aruba has released upgrades for ArubaOS-CX Switch Devices that address this security vulnerability. Affected products include: Arubanetworks Aos-Cx.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement anti-CSRF tokens, validate Origin/Referer headers, use SameSite cookie attribute.
A vulnerability in the web-based management interface of AOS-CX could allow a remote authenticated user with read-only p
AOS-CX lacks Anti-CSRF protections in place for state-changing operations. Rated high severity (CVSS 8.8), this vulnerab
Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection.
Multiple vulnerabilities exist in the AOS-CX command line interface that could lead to authenticated command injection.
Authenticated command injection vulnerabilities exist in the AOS-CX Network Analytics Engine via NAE scripts. Rated high
A vulnerability exists in certain AOS-CX switch models which could allow an attacker with access to the recovery console
A vulnerability in the web-based management interface of AOS-CX could allow a remote unauthenticated attacker to fingerp
Multiple vulnerabilities exist in the processing of packet data by the LLDP service of AOS-CX. Rated medium severity (CV
Multiple vulnerabilities exist in the processing of packet data by the LLDP service of AOS-CX. Rated medium severity (CV
Multiple vulnerabilities exist in the processing of packet data by the LLDP service of AOS-CX. Rated medium severity (CV
Multiple vulnerabilities exist in the processing of packet data by the LLDP service of AOS-CX. Rated medium severity (CV
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today