- 290/2022
- High
Aruba has released security updates to fix vulnerabilities in Aruba ClearPass Policy Manager versions (6.10.x: 6.10.7 and below) and (6.9.x: 6.9.12 and below).
The severity of the addressed vulnerabilities could allow the remote attacker to obtain and modify sensitive information, conduct a stored cross-site scripting (XSS) attack, execute arbitrary code and cause a denial of service attack.
Samples of the addressed vulnerabilities:
Samples of the addressed vulnerabilities:
1- Authenticated SQL Injection Vulnerabilities in ClearPass Policy Manager Web-based Management Interface (CVE-2022-43530):
• CVSS: 8.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Manipulating Data
2- Authenticated Stored Cross-Site Scripting Vulnerability in ClearPass Policy Manager Web-Based Management Interface(CVE-2022-43532):
• CVSS: 8.0
• Attack Vector: Network
• Attack Complexity: High
• Privileges Required: None
• User Interaction: Required
• Consequences: Cross-Site Scripting
Vulnerabilities
• CVE-2022-43530
• CVE-2022-43531
• CVE-2022-43532
• CVE-2022-43533
• CVE-2022-43534
• CVE-2022-43535
• CVE-2022-43536
• CVE-2022-43537
• CVE-2022-43538
• CVE-2022-43539
• CVE-2022-43540
• CVE-2002-20001
Mitigations
The enterprise should deploy this workaround until the patch is released.