#VU73905 OS Command Injection in Aruba Networks products - CVE-2023-1168
Published: March 21, 2023
Vulnerability identifier: #VU73905
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-1168
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Aruba CX 10000 Switch Series
Aruba CX 9300 Switch Series
Aruba CX 8400 Switch Series
Aruba CX 8360 Switch Series
Aruba CX 8325 Switch Series
Aruba CX 8320 Switch Series
Aruba CX 6400 Switch Series
Aruba CX 6300 Switch Series
Aruba CX 6200F Switch Series
ArubaOS-CX (AOS-CX)
Aruba CX 10000 Switch Series
Aruba CX 9300 Switch Series
Aruba CX 8400 Switch Series
Aruba CX 8360 Switch Series
Aruba CX 8325 Switch Series
Aruba CX 8320 Switch Series
Aruba CX 6400 Switch Series
Aruba CX 6300 Switch Series
Aruba CX 6200F Switch Series
ArubaOS-CX (AOS-CX)
Software vendor:
Aruba Networks
Aruba Networks
Description
The vulnerability allows a remote user to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in the AOS-CX Network Analytics Engine. A remote prvileged user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Remediation
Install updates from vendor's website.