CVE-2023-22791

A vulnerability exists in Aruba InstantOS and ArubaOS 10 where an edge-case combination of network configuration, a specific WLAN environment and an attacker already possessing valid user credentials on that WLAN can lead to sensitive information being disclosed via the WLAN. The scenarios in which this disclosure of potentially sensitive information can occur are complex and depend on factors that are beyond the control of the attacker.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 4.2

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt	Vendor Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:arubanetworks:arubaos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::
	cpe:2.3:o:hp:instantos::::::::

History

21 Nov 2024, 07:45

Type	Values Removed	Values Added
References	~~() https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt - Vendor Advisory~~	() https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt - Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~4.8~~	v2 : unknown v3 : 5.4

12 May 2023, 16:02

Type	Values Removed	Values Added
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 4.8
CPE		cpe:2.3:o:arubanetworks:arubaos:::::::: cpe:2.3:o:hp:instantos::::::::
First Time		Arubanetworks Arubanetworks arubaos Hp Hp instantos
References	~~(MISC) https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt -~~	(MISC) https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt - Vendor Advisory

08 May 2023, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-05-08 15:15

Updated : 2024-11-21 07:45

NVD link : CVE-2023-22791

Mitre link : CVE-2023-22791

CVE.ORG link : CVE-2023-22791

JSON object : View

Products Affected

hp

instantos

arubanetworks

arubaos

CWE

NVD-CWE-noinfo

{"id": "CVE-2023-22791", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-alert@hpe.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 1.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}]}, "published": "2023-05-08T15:15:10.647", "references": [{"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt", "tags": ["Vendor Advisory"], "source": "security-alert@hpe.com"}, {"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-006.txt", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability exists in Aruba InstantOS and ArubaOS 10\u00a0where an edge-case combination of network configuration, a\u00a0specific WLAN environment and an attacker already possessing\u00a0valid user credentials on that WLAN can lead to sensitive\u00a0information being disclosed via the WLAN. The scenarios in\u00a0which this disclosure of potentially sensitive information\u00a0can occur are complex and depend on factors that are beyond\u00a0the control of the attacker."}], "lastModified": "2024-11-21T07:45:26.073", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E9226A2A-7048-4300-AC20-7629AA05E9D9", "versionEndIncluding": "10.3.1.0", "versionStartIncluding": "10.3.0.0"}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "93F7D378-2A4F-4A5B-BF1D-3AF38B61C626", "versionEndIncluding": "6.4.4.8-4.2.4.20", "versionStartIncluding": "6.4.0.0"}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "286BD7C8-D7AB-4DEB-AF86-08E246230A50", "versionEndIncluding": "6.5.4.23", "versionStartIncluding": "6.5.0.0"}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4F892CBE-3BFF-49F6-9101-171C5A4C1503", "versionEndExcluding": "8.6.0.0", "versionStartIncluding": "8.4.0.0"}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7D7E179A-F8E7-49E3-9049-FE8AD39EB0DF", "versionEndIncluding": "8.6.0.19", "versionStartIncluding": "8.6.0.0"}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3A8FE10-DA46-43BF-9713-A844CC935AD9", "versionEndIncluding": "8.9.0.0", "versionStartIncluding": "8.7.0.0"}, {"criteria": "cpe:2.3:o:hp:instantos:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1F4CC3E-1DBE-405D-869D-21499960C11B", "versionEndIncluding": "8.10.0.4", "versionStartIncluding": "8.10.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-alert@hpe.com"}