Skip to main content

Edgeconnect Sd Wan Orchestrator CVE-2023-37428

HIGH
Path Traversal (CWE-22)
2023-08-22 security-alert@hpe.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Aug 22, 2023 - 19:16 nvd
HIGH 7.2

DescriptionNVD

A vulnerability in the EdgeConnect SD-WAN Orchestrator web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise.

AnalysisAI

A vulnerability in the EdgeConnect SD-WAN Orchestrator web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. A vulnerability in the EdgeConnect SD-WAN Orchestrator web-based management interface allows remote authenticated users to run arbitrary commands on the underlying host. A successful exploit could allow an attacker to execute arbitrary commands as root on the underlying operating system leading to complete system compromise. Affected products include: Arubanetworks Edgeconnect Sd-Wan Orchestrator.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2025-37184 CRITICAL
9.8 Jan 14

An Orchestrator service allows unauthenticated attackers to bypass MFA and create admin accounts without multi-factor au

CVE-2024-41914 CRITICAL
9.0 Jul 24

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated re

CVE-2024-41136 HIGH
8.8 Jul 24

An authenticated command injection vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateways Command

CVE-2024-22443 HIGH
8.8 Jul 24

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated re

CVE-2023-37434 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37433 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37432 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37431 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37430 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37429 HIGH
8.1 Aug 22

Multiple vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authent

CVE-2023-37424 HIGH
8.1 Aug 22

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an unauthenticated

CVE-2023-37426 HIGH
7.5 Aug 22

EdgeConnect SD-WAN Orchestrator instances prior to the versions resolved in this advisory were found to have shared stat

Share

CVE-2023-37428 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy