Vulnerability Details : CVE-2022-43529
A vulnerability in the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow an remote attacker to persist a session after a password reset or similar session clearing event. Successful exploitation of this vulnerability could allow an authenticated attacker to remain on the system with the permissions of their current session after the session should be invalidated in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.
Products affected by CVE-2022-43529
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » As-a-service EditionVersions from including (>=) 9.0.0 and up to, including, (<=) 9.0.7.40110cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:as-a-service:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » Global Enterprise Tenant Orchestrators EditionVersions from including (>=) 9.0.0 and up to, including, (<=) 9.0.7.40110cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:global_enterprise_tenant_orchestrators:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » SP EditionVersions up to, including, (<=) 8.10.23.40015cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:sp:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » On-premises EditionVersions from including (>=) 9.2.0 and up to, including, (<=) 9.2.1.40179cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:on-premises:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » As-a-service EditionVersions from including (>=) 9.1.0 and up to, including, (<=) 9.1.4.40436cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:as-a-service:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » SP EditionVersions from including (>=) 9.1.0 and up to, including, (<=) 9.1.4.40436cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:sp:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » Global Enterprise Tenant Orchestrators EditionVersions from including (>=) 9.2.0 and up to, including, (<=) 9.2.1.40179cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:global_enterprise_tenant_orchestrators:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » As-a-service EditionVersions from including (>=) 9.2.0 and up to, including, (<=) 9.2.1.40179cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:as-a-service:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » As-a-service EditionVersions up to, including, (<=) 8.10.23.40015cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:as-a-service:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » On-premises EditionVersions from including (>=) 9.0.0 and up to, including, (<=) 9.0.7.40110cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:on-premises:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » On-premises EditionVersions up to, including, (<=) 8.10.23.40015cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:on-premises:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » On-premises EditionVersions from including (>=) 9.1.0 and up to, including, (<=) 9.1.4.40436cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:on-premises:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » SP EditionVersions from including (>=) 9.0.0 and up to, including, (<=) 9.0.7.40110cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:sp:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » SP EditionVersions from including (>=) 9.2.0 and up to, including, (<=) 9.2.1.40179cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:sp:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » Global Enterprise Tenant Orchestrators EditionVersions from including (>=) 9.1.0 and up to, including, (<=) 9.1.4.40436cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:global_enterprise_tenant_orchestrators:*:*:*
- Arubanetworks » Aruba Edgeconnect Enterprise Orchestrator » Global Enterprise Tenant Orchestrators EditionVersions up to, including, (<=) 8.10.23.40015cpe:2.3:a:arubanetworks:aruba_edgeconnect_enterprise_orchestrator:*:*:*:*:global_enterprise_tenant_orchestrators:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-43529
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 35 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-43529
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
2.8
|
2.5
|
NIST | |
|
4.6
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
2.1
|
2.5
|
Hewlett Packard Enterprise (HPE) |
CWE ids for CVE-2022-43529
-
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2022-43529
-
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-021.txt
Mitigation;Vendor Advisory
Jump to