HP Smart Update Manager Remote Unauthorized Access.

High Nessus Plugin ID 128768

Synopsis

A software/firmware update application running on the remote is affected by an authentication bypass vulnerability.

Description

The HPE Smart Update manager running on the remote host is affected by an authentication bypass vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to bypass authentication and execute arbitrary actions defined by the application.

Solution

Upgrade to HP Smart Update Manager 8.3.5 or later.

See Also

http://www.nessus.org/u?0a459a70

Plugin Details

Severity: High

ID: 128768

File Name: hp_sum_cve-2019-11988.nasl

Version: 1.3

Type: remote

Family: CGI abuses

Published: 2019/09/13

Updated: 2020/02/24

Dependencies: 76768

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2019-11988

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:hp:smart_update_manager

Required KB Items: installed_sw/HP Smart Update Manager

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 2019/05/31

Vulnerability Publication Date: 2019/05/31

Reference Information

CVE: CVE-2019-11988

HP: HPESBMU03922