ClearPass Policy Manager: Remote Authenticated Info Disclosure
CVE-2024-26302 Published on February 27, 2024
A vulnerability in the web-based management interface of ClearPass Policy Manager could allow a remote attacker authenticated with low privileges to access sensitive information. A successful exploit allows an attacker to retrieve information which could be used to potentially gain further access to network services supported by ClearPass Policy Manager.
Vulnerability Analysis
CVE-2024-26302 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.
Products Associated with CVE-2024-26302
Want to know whenever a new CVE is published for Aruba Networks Clearpass Policy Manager? stack.watch will email you.
Affected Versions
Hewlett Packard Enterprise (HPE) Aruba ClearPass Policy Manager:- Version ClearPass Policy Manager 6.12.x: 6.12.0 is affected.
- Version ClearPass Policy Manager 6.11.x: 6.11.6 and below is affected.
- Version ClearPass Policy Manager 6.10.x: ClearPass 6.10.8 Hotfix Q4 2023 for Security issues and below is affected.
- Version ClearPass Policy Manager 6.9.x: ClearPass 6.9.13 Hotfix Q4 2023 for Security issues and below is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.