A command injection vulnerability has been identified in the web-based management interface of HPE Aruba Networking AOS-8 and AOS-10 operating systems. This vulnerability allows authenticated remote attackers to execute arbitrary commands on the underlying operating system. The issue arises from improper input validation in the file path parameter of the certificate download functionality, which could be exploited to overwrite arbitrary files on the system.
Exploitation of this vulnerability could lead to authenticated remote code execution on the affected system, with the executed commands running as a privileged user.
Users can upgrade to AOS-10.8.0.1 and above, AOS-10.7.2.3 and above, AOS-10.4.1.11 and above, AOS-8.13.1.2 and above, AOS-8.12.0.7 and above, or AOS-8.10.0.22 and above. For AOS-8.12.x.x, a one-time exception patch has been released to address vulnerabilities affecting versions 8.12.0.6 and below.
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.
