CVE-2023-35979 : There is an unauthenticated buffer overflow vulnerability in the process contro

There is an unauthenticated buffer overflow vulnerability in the process controlling the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in a Denial-of-Service (DoS) condition affecting the web-based management interface of the controller.

Published 2023-07-05 15:15:10

Updated 2023-07-11 17:49:51

Source Hewlett Packard Enterprise (HPE)

View at NVD, CVE.org

Vulnerability category: OverflowDenial of service

Products affected by CVE-2023-35979

Arubanetworks » Arubaos
Versions from including (>=) 10.4.0.0 and before (<) 10.4.0.2
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Matching versions
When used together with: Arubanetworks » Mc-va-10 » Version: N/A
When used together with: Arubanetworks » Mc-va-1k » Version: N/A
When used together with: Arubanetworks » Mc-va-250 » Version: N/A
When used together with: Arubanetworks » Mc-va-50 » Version: N/A
When used together with: Arubanetworks » Mcr-va-10k » Version: N/A
When used together with: Arubanetworks » Mcr-va-1k » Version: N/A
When used together with: Arubanetworks » Mcr-va-50 » Version: N/A
When used together with: Arubanetworks » Mcr-va-500 » Version: N/A
When used together with: Arubanetworks » Mcr-va-5k » Version: N/A
When used together with: Arubanetworks » Sd-wan » Version: N/A
When used together with: Arubanetworks » Mcr-hw-10k » Version: N/A
When used together with: Arubanetworks » Mcr-hw-1k » Version: N/A
When used together with: Arubanetworks » Mcr-hw-5k » Version: N/A
Arubanetworks » Arubaos
Versions from including (>=) 8.11.0.0 and before (<) 8.11.1.1
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Matching versions
When used together with: Arubanetworks » Mc-va-10 » Version: N/A
When used together with: Arubanetworks » Mc-va-1k » Version: N/A
When used together with: Arubanetworks » Mc-va-250 » Version: N/A
When used together with: Arubanetworks » Mc-va-50 » Version: N/A
When used together with: Arubanetworks » Mcr-va-10k » Version: N/A
When used together with: Arubanetworks » Mcr-va-1k » Version: N/A
When used together with: Arubanetworks » Mcr-va-50 » Version: N/A
When used together with: Arubanetworks » Mcr-va-500 » Version: N/A
When used together with: Arubanetworks » Mcr-va-5k » Version: N/A
When used together with: Arubanetworks » Sd-wan » Version: N/A
When used together with: Arubanetworks » Mcr-hw-10k » Version: N/A
When used together with: Arubanetworks » Mcr-hw-1k » Version: N/A
When used together with: Arubanetworks » Mcr-hw-5k » Version: N/A
Arubanetworks » Arubaos
Versions from including (>=) 8.7.0.0 and before (<) 8.10.0.7
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Matching versions
When used together with: Arubanetworks » Mc-va-10 » Version: N/A
When used together with: Arubanetworks » Mc-va-1k » Version: N/A
When used together with: Arubanetworks » Mc-va-250 » Version: N/A
When used together with: Arubanetworks » Mc-va-50 » Version: N/A
When used together with: Arubanetworks » Mcr-va-10k » Version: N/A
When used together with: Arubanetworks » Mcr-va-1k » Version: N/A
When used together with: Arubanetworks » Mcr-va-50 » Version: N/A
When used together with: Arubanetworks » Mcr-va-500 » Version: N/A
When used together with: Arubanetworks » Mcr-va-5k » Version: N/A
When used together with: Arubanetworks » Sd-wan » Version: N/A
When used together with: Arubanetworks » Mcr-hw-10k » Version: N/A
When used together with: Arubanetworks » Mcr-hw-1k » Version: N/A
When used together with: Arubanetworks » Mcr-hw-5k » Version: N/A
Arubanetworks » Arubaos
Versions from including (>=) 6.5.4.0 and before (<) 8.6.0.21
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Matching versions
When used together with: Arubanetworks » Mc-va-10 » Version: N/A
When used together with: Arubanetworks » Mc-va-1k » Version: N/A
When used together with: Arubanetworks » Mc-va-250 » Version: N/A
When used together with: Arubanetworks » Mc-va-50 » Version: N/A
When used together with: Arubanetworks » Mcr-va-10k » Version: N/A
When used together with: Arubanetworks » Mcr-va-1k » Version: N/A
When used together with: Arubanetworks » Mcr-va-50 » Version: N/A
When used together with: Arubanetworks » Mcr-va-500 » Version: N/A
When used together with: Arubanetworks » Mcr-va-5k » Version: N/A
When used together with: Arubanetworks » Sd-wan » Version: N/A
When used together with: Arubanetworks » Mcr-hw-10k » Version: N/A
When used together with: Arubanetworks » Mcr-hw-1k » Version: N/A
When used together with: Arubanetworks » Mcr-hw-5k » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-35979

EPSS FAQ

0.12%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 32 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-35979

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
5.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L	3.9	1.4	Hewlett Packard Enterprise (HPE)
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2023-35979

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-35979

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-008.txt

Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-35979

Products affected by CVE-2023-35979

Exploit prediction scoring system (EPSS) score for CVE-2023-35979

CVSS scores for CVE-2023-35979

CWE ids for CVE-2023-35979

References for CVE-2023-35979