SB2025010625 - Multiple vulnerabilities in HPE Cloudline CL4150 Gen10 Server

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025010625

SB2025010625 - Multiple vulnerabilities in HPE Cloudline CL4150 Gen10 Server

Published: January 6, 2025

Security Bulletin ID SB2025010625
Severity
High
Patch available
YES
Number of vulnerabilities 6
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2022-40259)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests. A remote attacker can bypass authentication process and gain unauthorized access to the application.


2) Insufficiently protected credentials (CVE-ID: CVE-2022-40242)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to insufficiently protected credentials, which leads to security restrictions bypass and privilege escalation.


3) Security features bypass (CVE-ID: CVE-2022-32265)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the affected application does not ensure the percent character is followed by two hex digits for URL decoding. A remote attacker can launch further attacks on the system.


4) Improper access control (CVE-ID: CVE-2022-2827)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to sensitive information on the system.


5) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2022-26872)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to weak password recovery mechanism for forgotten password. A remote unauthenticated attacker can trick the victim into opening a specially crafted file and execute arbitrary code on the target system.


6) Use of Password Hash With Insufficient Computational Effort (CVE-ID: CVE-2022-40258)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to AMI Megarac uses weak password hashes for Redfish. A remote attacker can gain unauthorized access to sensitive information on the system.


Remediation

Install update from vendor's website.

References