A command injection vulnerability has been identified in the web-based management interface of HPE Aruba Networking Operating Systems AOS-8 and AOS-10. This vulnerability allows authenticated remote attackers to execute arbitrary commands on the underlying operating system. The issue arises from improper input validation in the file path parameter of the certificate download functionality, which could be exploited to overwrite arbitrary files on the system.
Exploitation of this vulnerability could lead to authenticated remote code execution on the affected system, with the executed commands running as a privileged user.
Users can upgrade to AOS-10.8.x.x (10.8.0.1 and above), AOS-10.7.x.x (10.7.2.3 and above), AOS-10.4.x.x (10.4.1.11 and above), AOS-8.13.x.x (8.13.1.2 and above), AOS-8.12.x.x (8.12.0.7 and above) or AOS-8.10.x.x (8.10.0.22 and above). HPE Aruba Networking does not evaluate or patch AOS-10 Gateway and AOS-8 Controller/Mobility Conductor software branches that have reached their End of Maintenance (EoM) milestone.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
