CVE-2022-37911

LOW

ArubaOS 6.5.4.0-6.5.4.21 and SD-WAN 8.7.0.0-2.3.0.0-8.7.0.0-2.3.0.5 - Authenticated XML External Entity Injection

Title source: llm

Description

Due to improper restrictions on XML entities multiple vulnerabilities exist in the command line interface of ArubaOS. A successful exploit could allow an authenticated attacker to retrieve files from the local system or cause the application to consume system resources, resulting in a denial of service condition.

References (1)

Core 1

Core References

Vendor Advisory

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt

Scores

CVSS v3 3.8

EPSS 0.0034

EPSS Percentile 56.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (2)

arubanetworks/arubaos 6.5.4.0 - 6.5.4.22

arubanetworks/sd-wan 8.7.0.0-2.3.0.0 - 8.7.0.0-2.3.0.6

Published Dec 12, 2022

Tracked Since Feb 18, 2026