Remote Auth Bypass in HPE OneView APIs
CVE-2023-30909 Published on September 14, 2023
A remote authentication bypass issue exists in some OneView APIs.
Vulnerability Analysis
CVE-2023-30909 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Authentication Bypass by Capture-replay
A capture-replay flaw exists when the design of the software makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). Capture-replay attacks are common and can be difficult to defeat without cryptography. They are a subset of network injection attacks that rely on observing previously-sent valid commands, then changing them slightly if necessary and resending the same commands to the server.
Products Associated with CVE-2023-30909
Want to know whenever a new CVE is published for HP Oneview? stack.watch will email you.
Affected Versions
Hewlett Packard Enterprise (HPE) HPE OneView:- Before 8.30.01 is affected.
- Before 6.60.05 is affected.
- Version 7.00.00 is affected.
- Version 7.10.00 is affected.
- Version 7.20.00 is affected.
- Version 8.00.00 is affected.
- Version 8.10.00 is affected.
- Version 8.20.00 is affected.
- Version 8.30.00 is affected.
- Version 8.40.00 is affected.
- Before 2.81 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.