Multiple Vulnerabilities in HPE Aruba Networking EdgeConnect SD-WAN Orchestrator

HPE Aruba Networking has released patches for EdgeConnect SD-WAN Orchestrator that address multiple security vulnerabilities.

Affected Products

HPE Aruba Networking

• EdgeConnect SD-WAN Orchestrator (self-hosted, on-premises)
• EdgeConnect SD-WAN Orchestrator (self-hosted, public cloud IaaS)
• EdgeConnect SD-WAN Orchestrator-as-a-Service
• EdgeConnect SD-WAN Orchestrator-SP Tenant Orchestrators
• EdgeConnect SD-WAN Orchestrator Global Enterprise Tenant Orchestrators
  • EdgeConnect SD-WAN Orchestrator 9.4.x: Orchestrator 9.4.1 (all builds) and below
  • EdgeConnect SD-WAN Orchestrator 9.3.x: Orchestrator 9.3.2 (all builds) and below
  • EdgeConnect SD-WAN Orchestrator 9.2.x: Orchestrator 9.2.9 (all builds) and below
  • EdgeConnect SD-WAN Orchestrator 9.1.x: Orchestrator 9.1.9 (all builds) and below

Stored Cross-Site Scripting (XSS) Vulnerability in EdgeConnect SD-WAN Orchestrator Web Administration Interface (CVE-2024-41914)

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface.

Authenticated Server-Side prototype pollution Leading to Information Disclosure (CVE-2024-22443)

A vulnerability in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a server-side prototype pollution attack. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

Reflected Cross-Site Scripting in EdgeConnect SD-WAN Orchestrator Web Management Interface (CVE-2024-22444)

A vulnerability within the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim’s browser in the context of the affected interface.