Vulnerability Name:

CVE-2021-41002 (CCN-220883)

Assigned:2021-09-13
Published:2022-02-22
Updated:2022-09-27
Summary:Multiple authenticated remote path traversal vulnerabilities were discovered in the AOS-CX command line interface in Aruba CX 6200F Switch Series, Aruba 6300 Switch Series, Aruba 6400 Switch Series, Aruba 8320 Switch Series, Aruba 8325 Switch Series, Aruba 8400 Switch Series, Aruba CX 8360 Switch Series version(s): AOS-CX 10.06.xxxx: 10.06.0170 and below, AOS-CX 10.07.xxxx: 10.07.0050 and below, AOS-CX 10.08.xxxx: 10.08.1030 and below, AOS-CX 10.09.xxxx: 10.09.0002 and below. Aruba has released upgrades for Aruba AOS-CX devices that address these security vulnerabilities.
CVSS v3 Severity:8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
7.1 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): High
5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): High
Availibility (A): Low
CVSS v2 Severity:8.5 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): Complete
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Complete
Availibility (A): Partial
Vulnerability Type:CWE-22
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-41002

Source: XF
Type: UNKNOWN
arubanetworks-cve202141002-dir-trav(220883)

Source: CCN
Type: Aruba Product Security Advisory ID: ARUBA-PSA-2022-004
AOS-CX Switches Multiple Vulnerabilities

Source: MISC
Type: Vendor Advisory
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt

Vulnerable Configuration:Configuration 1:
  • cpe:/o:hpe:arubaos-cx:*:*:*:*:*:*:*:* (Version >= 10.09.0001 and <= 10.09.0002)
  • OR cpe:/o:hpe:arubaos-cx:*:*:*:*:*:*:*:* (Version >= 10.08.0001 and <= 10.08.1030)
  • OR cpe:/o:hpe:arubaos-cx:*:*:*:*:*:*:*:* (Version >= 10.07.0001 and <= 10.07.0050)
  • OR cpe:/o:hpe:arubaos-cx:*:*:*:*:*:*:*:* (Version >= 10.06.0001 and <= 10.06.0170)
  • AND
  • cpe:/h:hpe:aruba_cx_6200f:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_cx_6300f:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_cx_6300m:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_cx_6405:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_cx_6410:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8320:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8325-32-c:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8400x:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8360-32y4c:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8325-48y8c:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8360-12c:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8360-16y2c:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8360-24xf2c:-:*:*:*:*:*:*:*
  • OR cpe:/h:hpe:aruba_8360-48xt4c:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    hpe arubaos-cx *
    hpe arubaos-cx *
    hpe arubaos-cx *
    hpe arubaos-cx *
    hpe aruba cx 6200f -
    hpe aruba cx 6300f -
    hpe aruba cx 6300m -
    hpe aruba cx 6405 -
    hpe aruba cx 6410 -
    hpe aruba 8320 -
    hpe aruba 8325-32-c -
    hpe aruba 8400x -
    hpe aruba 8360-32y4c -
    hpe aruba 8325-48y8c -
    hpe aruba 8360-12c -
    hpe aruba 8360-16y2c -
    hpe aruba 8360-24xf2c -
    hpe aruba 8360-48xt4c -