HP Smart Update Manager Remote Unauthorized Access.

High Nessus Plugin ID 133955

Synopsis

A software/firmware update application running on the remote is affected by an authentication bypass vulnerability.

Description

The HPE Smart Update manager running on the remote host is affected by an authentication bypass vulnerability. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to bypass authentication and execute arbitrary actions defined by the application.

Solution

HP Smart Update Manager 8.5.0 or later appears to fix the vulnerability. Contact the vendor for confirmation.

Plugin Details

Severity: High

ID: 133955

File Name: hp_sum_usesshkey_auth_bypass.nasl

Version: 1.1

Type: remote

Family: CGI abuses

Published: 2020/02/24

Updated: 2020/02/24

Dependencies: 76768

Risk Information

Risk Factor: High

CVSS Score Source: manual

CVSS Score Rationale: This vulnerability is very similar to cve-2019-11988. the score is based on cve-2019-11988.

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:hp:smart_update_manager

Required KB Items: installed_sw/HP Smart Update Manager

Exploited by Nessus: true

Vulnerability Publication Date: 2020/01/15

Reference Information