CVE-2021-26685

Name of the Vulnerable Software and Affected Versions Aruba ClearPass Policy Manager versions prior to 6.9.5 Aruba ClearPass Policy Manager version 6.8.8-HF1 Aruba ClearPass Policy Manager version 6.7.14-HF1

Description A remote authenticated SQL Injection issue was discovered in the web-based management interface API of ClearPass, allowing an authenticated remote attacker to conduct SQL injection attacks against the ClearPass instance. This could enable an attacker to obtain and modify sensitive information in the underlying database.

Recommendations For versions prior to 6.9.5, update to version 6.9.5 or later. For version 6.8.8-HF1, update to a version later than 6.8.8-HF1. For version 6.7.14-HF1, update to a version later than 6.7.14-HF1. As a temporary workaround, consider restricting access to the web-based management interface API until a patch is available.