A SQL injection vulnerability has been identified in HPE Aruba Networking's AOS-8 and AOS-10 operating systems. This vulnerability exists in several service components accessible through the command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit this vulnerability by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Exploitation of this vulnerability could lead to unauthorized execution of arbitrary commands on the affected system's operating system with elevated privileges.
Users can upgrade to AOS-10.8.x.x (10.8.0.1 and above), AOS-10.7.x.x (10.7.2.3 and above), AOS-10.4.x.x (10.4.1.11 and above), AOS-8.13.x.x (8.13.1.2 and above), AOS-8.12.x.x (8.12.0.7 and above) or AOS-8.10.x.x (8.10.0.22 and above). HPE Aruba Networking does not evaluate or patch AOS-10 Gateway and AOS-8 Controller/Mobility Conductor software branches that have reached their End of Maintenance (EoM) milestone.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
