EUVD-2024-54780

| CVE-2024-51769 HIGH
2025-07-14 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 09:43 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 09:43 euvd
EUVD-2024-54780
CVE Published
Jul 14, 2025 - 11:15 nvd
HIGH 7.5

Tags

Information Disclosure Hp Autopass License Server

Description

An information disclosure vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17.

Analysis

CVE-2024-51769 is an information disclosure vulnerability in HPE AutoPass License Server (APLS) versions prior to 9.17 that allows unauthenticated network attackers to access sensitive information without requiring user interaction. The vulnerability has a CVSS 3.1 score of 7.5 with a high confidentiality impact (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), making it a significant risk for organizations relying on APLS for license management across their HPE infrastructure.

Technical Context

HPE AutoPass License Server (APLS) is a centralized license management solution for HPE software and hardware products. The vulnerability stems from improper information exposure (CWE-200), a common weakness class indicating that sensitive data is made accessible to actors without proper authorization controls. The affected product uses network-accessible services (evidenced by CVSS AV:N) that fail to implement adequate access controls or data classification mechanisms. This typically manifests in license server APIs, web interfaces, or backend services that expose confidential licensing metadata, entitlement information, or system configuration details. The lack of authentication requirements (PR:N in CVSS vector) suggests the vulnerability exists in unauthenticated endpoints or services that should require credential validation before responding with sensitive information.

Affected Products

HPE AutoPass License Server (APLS) versions prior to 9.17. Specific affected version range: APLS 9.0 through 9.16 (and potentially earlier versions). The vulnerability was resolved in APLS 9.17 and later. Note: CPE string would be cpe:2.3:a:hpe:autopass_license_server:*:*:*:*:*:*:*:* with version constraints <9.17. This affects all organizations running APLS in their license management infrastructure for HPE product entitlements.

Remediation

Immediate action: Upgrade HPE AutoPass License Server to version 9.17 or later. Organizations unable to immediately patch should: (1) Implement network-level access controls to restrict APLS service accessibility to only authorized administrative users and systems; (2) Deploy APLS instances on isolated internal networks without public internet exposure; (3) Implement firewall rules limiting access to APLS ports (typically 7070, 27000, or custom ports) to trusted IP ranges only; (4) Monitor APLS access logs for suspicious unauthenticated requests; (5) Review APLS security event logs for evidence of information disclosure attempts. Consult the HPE Security Advisory (reference HPE PSRT documentation) for detailed upgrade procedures and rollback plans. Test patches in non-production environments before production deployment given the critical nature of license infrastructure.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

EUVD-2024-54780 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy