CVE-2018-7060 - OpenCVE

Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Arubanetworks	Clearpass

Configuration 1 [-]

OR	cpe:2.3:a:arubanetworks:clearpass::::::::
	cpe:2.3:a:arubanetworks:clearpass::::::::

References

Link	Resource
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hpe

Published: 2018-08-06T20:00:00

Updated: 2018-08-06T19:57:01

Reserved: 2018-02-15T00:00:00

Link: CVE-2018-7060

JSON object: View

NVD Information

Status : Analyzed

Published: 2018-08-06T20:29:01.740

Modified: 2018-10-10T13:38:19.597

Link: CVE-2018-7060

JSON object: View

Redhat Information

No data.

CWE

CWE-352

{"containers": {"cna": {"affected": [{"product": "Aruba ClearPass", "vendor": "Hewlett Packard Enterprise", "versions": [{"status": "affected", "version": "6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1"}]}], "datePublic": "2018-03-21T00:00:00", "descriptions": [{"lang": "en", "value": "Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface."}], "problemTypes": [{"descriptions": [{"description": "authenticated sessions are vulnerable to cross site request forgery (CSRF)", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-08-06T19:57:01", "orgId": "eb103674-0d28-4225-80f8-39fb86215de0", "shortName": "hpe"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-alert@hpe.com", "ID": "CVE-2018-7060", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Aruba ClearPass", "version": {"version_data": [{"version_value": "6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1"}]}}]}, "vendor_name": "Hewlett Packard Enterprise"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "authenticated sessions are vulnerable to cross site request forgery (CSRF)"}]}]}, "references": {"reference_data": [{"name": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt", "refsource": "CONFIRM", "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt"}]}}}}, "cveMetadata": {"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0", "assignerShortName": "hpe", "cveId": "CVE-2018-7060", "datePublished": "2018-08-06T20:00:00", "dateReserved": "2018-02-15T00:00:00", "dateUpdated": "2018-08-06T19:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:arubanetworks:clearpass:*:*:*:*:*:*:*:*", "matchCriteriaId": "EEE9BAD6-C72C-431B-ADF4-CFB5C047BE40", "versionEndExcluding": "6.6.9", "versionStartIncluding": "6.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:arubanetworks:clearpass:*:*:*:*:*:*:*:*", "matchCriteriaId": "76641E6C-60EA-4B60-BA17-1F14F803CC8D", "versionEndExcluding": "6.7.1", "versionStartIncluding": "6.7.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Aruba ClearPass 6.6.x prior to 6.6.9 and 6.7.x prior to 6.7.1 is vulnerable to CSRF attacks against authenticated users. An attacker could manipulate an authenticated user into performing actions on the web administrative interface."}, {"lang": "es", "value": "Aruba ClearPass en versiones 6.6.x anteriores a la 6.6.9 y versiones 6.7.x anteriores a la 6.7.1 es vulnerable a ataques de Cross-Site Request Forgery (CSRF) contra usuarios autenticados. Un atacante podr\u00eda manipular a un usuario autenticado para qu realice acciones en la interfaz web administrativa."}], "id": "CVE-2018-7060", "lastModified": "2018-10-10T13:38:19.597", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-06T20:29:01.740", "references": [{"source": "security-alert@hpe.com", "tags": ["Vendor Advisory"], "url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-003.txt"}], "sourceIdentifier": "security-alert@hpe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}