HPE OneView Multiple Remote Vulnerabilities Advisory (CVE-2022-23706/28616/28617)

Critical Vulnerability Information Vulnerability Title: HPESBGN04278 rev.3 - HPE OneView, Multiple Remote Vulnerabilities Potential Security Impact: Remote Vulnerability Types: - Bypass Security Restrictions - Cross-Site Scripting (XSS) - Server-Side Request Forgery (SSRF) Related CVE IDs: - CVE-2022-23706 (Remote cross-site scripting (XSS)) - CVE-2022-28616 (Remote Server-Side Request Forgery (SSRF)) - CVE-2022-28617 (Remote bypass security restrictions) Affected Product: HPE OneView Affected Versions: - HPE OneView - Prior to 7.0, and 6.60.01 CVSS Scores: - CVE-2022-23706: V3 Base Score 8.0, V2 Base Score 7.1 - CVE-2022-28616: V3 Base Score 4.6, V2 Base Score 4.0 - CVE-2022-28617: V3 Base Score 4.2, V2 Base Score 3.6 Solution: - HPE OneView 7.0 - HPE OneView 6.60.01 Release Date: 2022-05-16 Last Updated: 2022-08-17 Reporter: Michael Musheev Support & Reporting: - Support: Through normal HPE Services support channels or email security-alert@hpe.com - Report Vulnerabilities: Via web form or email security-alert@hpe.com

Goal Reached Thanks to every supporter — we hit 100%!

HPE OneView Multiple Remote Vulnerabilities Advisory (CVE-2022-23706/28616/28617)