- 71/2024
- High
Aruba has released a security update to fix multiple vulnerabilities affecting HPE Aruba ClearPass Policy Manager.
The addressed vulnerabilities could allow the remote attacker to obtain sensitive information, perform cross-site scripting, or execute arbitrary commands and gain access to the affected product.
Sample of the addressed vulnerabilities:
1. HPE Aruba ClearPass Policy Manager Command Execution (CVE-2024-26294):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. HPE Aruba ClearPass Policy Manager Cross-Site Scripting (CVE-2024-26299):
- CVSS: 6.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Cross-Site Scripting
Affected Products:
- ClearPass Policy Manager 6.12.x: 6.12.0.
- ClearPass Policy Manager 6.11.x: 6.11.6 and below.
- ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below.
- ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below.
Vulnerabilities
- CVE-2024-26294
- CVE-2024-26295
- CVE-2024-26296
- CVE-2024-26297
- CVE-2024-26298
- CVE-2024-26299
- CVE-2024-26300
- CVE-2024-26301
- CVE-2024-26302
- CVE-2023-50164
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.