HP Smart Update Manager Remote Unauthorized Access.

critical Nessus Plugin ID 133955

Language:

Synopsis

A software/firmware update application running on the remote is affected by an authentication bypass vulnerability.

Description

The HPE Smart Update manager running on the remote host is affected by an authentication bypass vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to bypass authentication and execute arbitrary actions defined by the application.

Solution

HP Smart Update Manager 8.5.0 or later appears to fix the vulnerability. Contact the vendor for confirmation.

Plugin Details

Severity: Critical

ID: 133955

File Name: hp_sum_usesshkey_auth_bypass.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 2/24/2020

Updated: 2/24/2020

Supported Sensors: Nessus

Risk Information

CVSS Score Rationale: This vulnerability is very similar to cve-2019-11988. the score is based on cve-2019-11988.

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: manual

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:hp:smart_update_manager

Required KB Items: installed_sw/HP Smart Update Manager

Exploited by Nessus: true

Vulnerability Publication Date: 1/15/2020

Reference Information

TRA: TRA-2020-02

Detections

Analytics