HpeCVEs & Vulnerabilities
184 CVEs affecting Hpe products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.
Most Affected Products
A security vulnerability in HPE Smart Update Manager (SUM) prior to version 8.5.6 could allow remote unauthorized access. Hewlett Packard Enterprise has provided a software update to resolve this vulnerability in HPE Smart Update Manager (SUM) prior to 8.5.6. Please visit the HPE Support Center at https://support.hpe.com/hpesc/public/home to download the latest version of HPE Smart Update Manager (SUM). Download the latest version of HPE Smart Update Manager (SUM) or download the latest Service Pack For ProLiant (SPP).
A potential security vulnerability has been identified in Hewlett Packard Enterprise OfficeConnect 1820, 1850, and 1920S Network switches. The vulnerability could be remotely exploited to allow authentication bypass. HPE has made the following software updates to resolve the vulnerability in Hewlett Packard Enterprise OfficeConnect 1820, 1850 and 1920S Network switches versions: Prior to PT.02.14; Prior to PC.01.22; Prior to PO.01.21; Prior to PD.02.22;
A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data.
A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data.
A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system.
A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system.
A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional.
A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system.
An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18.
An authentication bypass and disclosure of information vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18.
An hsqldb-related remote code execution vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18.
An information disclosure vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17.
An information disclosure vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17.
An hsqldb-related remote code execution vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17.
An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17.
A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.
A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646.
A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
A directory traversal information disclosure vulnerability exists in HPE StoreOnce Software.
A directory traversal arbitrary file deletion vulnerability exists in HPE StoreOnce Software.
An authentication bypass vulnerability exists in HPE StoreOnce Software.
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
A server-side request forgery vulnerability exists in HPE StoreOnce Software.
A command injection remote code execution vulnerability exists in HPE StoreOnce Software.
A vulnerability in the HPE Performance Cluster Manager (HPCM) GUI could allow an attacker to bypass authentication.
A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution.
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
A java deserialization vulnerability in HPE Remote Insight Support may allow an unauthenticated attacker to execute code.
An XML external entity injection (XXE) vulnerability in HPE Insight Remote Support may allow remote users to disclose information in certain cases.
This vulnerability could be exploited, leading to unauthorized disclosure of information to authenticated users.
HPE Cray Parallel Application Launch Service (PALS) is subject to an authentication bypass.
A potential security vulnerability has been identified in HPE Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 6 (iLO 6). The vulnerability could be remotely exploited to allow authentication bypass.
A remote code execution issue exists in HPE OneView.
HPE Integrated Lights-Out 5, and Integrated Lights-Out 6 using iLOrest may cause denial of service.
HPE MSA Controller prior to version IN210R004 could be remotely exploited to allow inconsistent interpretation of HTTP requests.
A memory corruption vulnerability in ArubaOS-Switch could lead to unauthenticated remote code execution by receiving specially crafted packets. Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.
An authenticated remote code execution vulnerability exists in the command line interface in ArubaOS-Switch. Successful exploitation results in a Denial-of-Service (DoS) condition in the switch.
A vulnerability in the ArubaOS-Switch web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface provided certain configuration options are present. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.
An authenticated command injection vulnerability exists in the AOS-CX command line interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands on the underlying operating system as a privileged user on the affected switch. This allows an attacker to fully compromise the underlying operating system on the device running AOS-CX.
The vulnerability could be locally exploited to allow escalation of privilege.
The MC990 X and UV300 RMC component has and inadequate default configuration that could be exploited to obtain enhanced privilege.
A security vulnerability in HPE Insight Remote Support may result in the local disclosure of privileged LDAP information.
HPE OneView and HPE OneView Global Dashboard appliance dumps may expose authentication tokens
An HPE OneView Global Dashboard (OVGD) appliance dump may expose OVGD user account credentials
A remote Cross-site Scripting vulnerability was discovered in HPE Integrated Lights-Out 6 (iLO 6), Integrated Lights-Out 5 (iLO 5) and Integrated Lights-Out 4 (iLO 4). HPE has provided software updates to resolve this vulnerability in HPE Integrated Lights-Out.