Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

Multiple vulnerabilities in HPE Intelligent Management Center (IMC) before E0705P07

Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Security vulnerabilities in HPE Intelligent Management Center (IMC) PLAT prior to 7.3 (E0705P07) could allow remote code execution.

General Information

Additional Info

Technical Analysis

Description

On October 12, 2020, HP Enterprise (HPE) published a security bulletin disclosing 64 separate remote code execution (RCE) and unauthorized data injection vulnerabilities in its Intelligent Management Center (IMC) product.

As of October 21, 2020, Rapid7 researchers have independently verified that 12 of the vulnerabilities were fixed in HPE IMC 7.3 patch E0705P02, which was released on December 6, 2019. The other 52 vulnerabilities appear to have been fixed in HPE IMC 7.3 patch E0705P07, which was released on October 12, 2020 along with the advisory that prompted this analysis. The cumulative advisory from HPE may have been published for the sake of mapping previously unpublished CVEs to several batches of vulnerabilities disclosed by the Zero Day Initiative (ZDI) in early 2020. We are not aware of any active exploitation as of October 28, 2020.

The CVEs included in the advisory are:

  • CVE-2020-7141 through CVE-2020-7195
  • CVE-2020-24629
  • CVE-2020-24630
  • CVE-2020-24646 through CVE-2020-24652

41 of the CVEs carry a 9.8 CVSSv3 base score, while the other 23 carry an 8.8 base score.

By cross-referencing the vulnerabilities in the advisory with ZDI’s published advisories, Rapid7 researchers determined that CVE-2020-7141 through CVE-2020-7143, CVE-2020-24629, CVE-2020-24630, and CVE-2020-24646 through CVE-2020-24652 were patched in HPE IMC version 7.3 (E0705P02), while CVE-2020-7144 through CVE-2020-7195 were presumably patched in 7.3 (E0705P07).

Affected products

We have included a full table of affected products and patch versions at the bottom of this analysis.

  • HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
    • CVE-2020-7141 through CVE-2020-7143
    • CVE-2020-24629
    • CVE-2020-24630
    • CVE-2020-24646 through CVE-2020-24652
  • HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
    • CVE-2020-7144 through CVE-2020-7195

Rapid7 analysis

HPE IMC is a well-known enterprise product whose user base presents high-value opportunities for attackers. The vast majority of the vulnerabilities in HPE’s cumulative advisory have been publicly available on ZDI’s 2020 advisories page (with technical detail) since January and February of 2020, which means that attackers have had the information they need to craft and hone attacks for the better part of a year. It’s likely that we’ll see more HPE IMC vulnerability disclosures through at least the beginning of 2021.

To test the E0705P02 patch hypothesis, Rapid7 researchers sampled CVE-2020-24648, a Java deserialization vulnerability in AccessMgrServlet. The sole Java deserialization vulnerability was chosen for the frequently and often easily exploitable nature of its bug class.

Contrary to HPE’s security bulletin, the vulnerability did require authentication to exploit, prior to the E0705P02 patch. However, Rapid7 researchers surmise that CVE-2020-24629, an authentication bypass in UrlAccessController, could possibly be leveraged to bypass CVE-2020-24648’s authentication requirement.

The E0705P02 patch to the AccessMgrServlet class’ doPost() method is shown below. The doPost() method in a Java servlet handles HTTP POST requests. Note the use of the ValidatingObjectInputStream class to validate Java objects deserialized by the readObject() method. This mitigation is only as effective as the objects it seeks to validate.

   public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-    HttpSession session = request.getSession();
-    OperatorLoginInfo operatorLoginInfo = null;
-    try {
-      operatorLoginInfo = OperatorLoginInfo.getLoginOperator(session);
-      if (runLog.isTraceEnabled())
-        runLog.trace("current operatorLoginInfo is " + operatorLoginInfo
-            .getLoginName());
-    } catch (PlatformException e) {
-      runLog.warn(null, (Throwable)e);
-      response.setContentType("application/octet-stream");
-      (new ObjectOutputStream((OutputStream)response.getOutputStream()))
-        .writeUnshared("SESSION_ERROR");
-      response.getOutputStream().flush();
-      return;
-    }
-    try {
-      Map<Integer, Set<Number>> resources = (operatorLoginInfo == null) ? null : operatorLoginInfo.getResources();
-      ValidatingObjectInputStream is = new ValidatingObjectInputStream((InputStream)request.getInputStream());
-      Class<?>[] classTypes = new Class[2];
-      classTypes[0] = Class.forName("com.h3c.imc.fault.applet.MgrReqMsg");
-      classTypes[1] = Class.forName("[B");
-      is.accept(classTypes);
-      Object o = is.readObject();
-      if (!(o instanceof MgrReqMsg)) {
-        runLog.error("received data type is not MgrReqMsg!");
-        return;
-      }
-      MgrReqMsg msg = (MgrReqMsg)o;
-      String methodName = new String(msg.methodName);
-      String className = new String(msg.className);
-      Object objRet = null;
-      MgrReqMsg resp = null;
-      if ("accessMgrServlet".equals(className))
-        if ("checkSeesion".equals(methodName)) {
-          String value = session.getId();
-          runLog.debug("check server session = " + value);
-          resp = new MgrReqMsg(className, methodName, value, false);
-          response.setContentType("application/octet-stream");
-          ObjectOutputStream objectOutputStream = new ObjectOutputStream((OutputStream)response.getOutputStream());
-          objectOutputStream.writeUnshared(resp);
-          response.getOutputStream().flush();
-          return;
-        }
-      if (this.faultBoardMgr != null && "faultBoardMgr".equals(className)) {
-        boolean needReturn = false;
-        if ("readFaultAppletData".equals(methodName)) {
-          needReturn = true;
-          objRet = this.faultBoardMgr.readFaultAppletData(resources);
-        } else if ("clearLoadFlag".equals(methodName)) {
-          needReturn = true;
-          objRet = null;
-          this.faultBoardMgr.clearLoadFlag();
-        } else if ("queryAllFaultTypeMap".endsWith(methodName)) {
-          needReturn = true;
-          objRet = this.faultBoardMgr.queryAllFaultTypeMap();
-        } else if ("queryAppletLoopInterval".endsWith(methodName)) {
-          needReturn = true;
-          objRet = Integer.valueOf(this.faultBoardMgr.queryAppletLoopInterval());
-        }
-        if (needReturn) {
-          if (objRet == null)
-            return;
-          response.setContentType("application/octet-stream");
-          ObjectOutputStream objectOutputStream = new ObjectOutputStream((OutputStream)response.getOutputStream());
-          objectOutputStream.writeUnshared(objRet);
-          response.getOutputStream().flush();
-          return;
-        }
-      }
-      Object data = null;
-      if (msg.isAsn) {
-        if (msg.msgcls != null) {
-          BERDecoder de = new BERDecoder(msg.data);
-          Object object = Class.forName(new String(msg.msgcls)).newInstance();
-          data = object;
-          ((ASN1Type)data).decode((ASN1Decoder)de);
-        }
-      } else if (msg.msgcls != null) {
-        data = Class.forName(new String(msg.msgcls)).newInstance();
-      }
-      Object bean = null;
-      Class<?> cls = null;
-      if (ServerContext.getRootAppContext().containsBean(className))
-        bean = ServerContext.getRootAppContext().getBean(className);
-      try {
-        if (bean == null) {
-          String regex = "[a-zA-Z]+[0-9a-zA-Z_]*";
-          if (Pattern.matches(regex, className))
-            bean = FacesUtils.getValueExpressionObject("#{" + className + "}");
-        }
-      } catch (Exception e) {
-        runLog.debug(null, e);
-      }
-      if (bean == null) {
-        runLog.warn("the bean " + className + " does not exist.");
-        return;
-      }
-      cls = bean.getClass();
-      List<Class<?>> classList = new ArrayList<>();
-      int rs = 1;
-      int addReq = 2;
-      int addPri = 4;
-      int addData = 8;
-      if (msg.request) {
-        classList.add(HttpServletRequest.class);
-        rs |= addReq;
-      }
-      if (msg.isPrivilege) {
-        classList.add(Map.class);
-        rs |= addPri;
-      }
-      if (msg.msgcls != null) {
-        classList.add(Class.forName(new String(msg.msgcls)));
-        rs |= addData;
-      }
-      Class<?>[] argv = new Class[classList.size()];
-      argv = (Class[])classList.<Class<?>[]>toArray((Class<?>[][])argv);
-      Method m = cls.getMethod(methodName, argv);
-      if (rs == 1) {
-        objRet = m.invoke(bean, new Object[0]);
-      } else if (rs == 3) {
-        objRet = m.invoke(bean, new Object[] { request });
-      } else if (rs == 5) {
-        objRet = m.invoke(bean, new Object[] { resources });
-      } else if (rs == 9) {
-        objRet = m.invoke(bean, new Object[] { data });
-      } else if (rs == 7) {
-        objRet = m.invoke(bean, new Object[] { request, resources });
-      } else if (rs == 11) {
-        objRet = m.invoke(bean, new Object[] { request, data });
-      } else if (rs == 13) {
-        objRet = m.invoke(bean, new Object[] { resources, data });
-      } else if (rs == 15) {
-        objRet = m.invoke(bean, new Object[] { request, resources, data });
-      } else {
-        runLog.error("request proc failed, quest code is " + rs);
-        runLog.error("request proc failed, quest MgrReqMsg is " + msg.toString());
-        return;
-      }
-      if (objRet == null)
-        return;
-      resp = new MgrReqMsg(className, methodName, objRet, false);
-      response.setContentType("application/octet-stream");
-      ObjectOutputStream oos = new ObjectOutputStream((OutputStream)response.getOutputStream());
-      oos.writeUnshared(resp);
-      response.getOutputStream().flush();
-    } catch (Exception e) {
-      runLog.warn(null, e);
-      return;
-    }
   }

The patch deletes the doPost() method’s code entirely, preventing any further vulnerabilities in that method (and perhaps proving the adage that the most secure code is code that doesn’t exist).

Curiously, the doGet() method that handles HTTP GET requests was equally modified. Since there was no authentication in this method, sending a GET request to the /imc/fault/accessMgrServlet endpoint allows defenders to detect the presence of the E0705P02 patch.

   public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
-    response.setContentType("text/html; charset=GBK");
-    PrintWriter out = response.getWriter();
-    out.println("<htmlnode>");
-    out.println("<body>");
-    out.println("<p>ok</p>");
-    out.println("</body></html>");
   }

No other changes were made to the AccessMgrServlet class between E0705P02 and E0705P07, making this an effective remote check for that patch range.

Since we wanted confirmation that the authentication bypass had been patched by E0705P02, we analyzed the UrlAccessController class for any changes to the file.

Two normalizeSyntax() methods were modified; the changes can be seen below.

   private static URI normalizeSyntax(URI uri) {
     if (uri.isOpaque())
       return uri;
     String path = (uri.getPath() == null) ? "" : uri.getPath();
     String[] inputSegments = path.split("/");
     Stack<String> outputSegments = new Stack<>();
     for (String inputSegment : inputSegments) {
       if (inputSegment.length() != 0 &&
         !".".equals(inputSegment))
-        if ("..".equals(inputSegment) || StringUtils.equalsIgnoreCase("%2e%2e", inputSegment)) {
+        if ("..".equals(inputSegment) || StringUtils.equalsIgnoreCase("%2e%2e", inputSegment) ||
+          StringUtils.equalsIgnoreCase(".%2e", inputSegment) ||
+          StringUtils.equalsIgnoreCase("%2e.", inputSegment)) {
           if (!outputSegments.isEmpty())
             outputSegments.pop();
         } else {
           outputSegments.push(inputSegment);
         }
     }
     StringBuilder outputBuffer = new StringBuilder();
     for (String outputSegment : outputSegments)
       outputBuffer.append('/').append(outputSegment);
     if (path.lastIndexOf('/') == path.length() - 1)
       outputBuffer.append('/');
     try {
       String scheme = uri.getScheme().toLowerCase();
       String auth = uri.getAuthority().toLowerCase();
       URI ref = new URI(scheme, auth, outputBuffer.toString(), null, null);
       if (uri.getQuery() == null && uri.getFragment() == null)
         return ref;
       StringBuilder normalized = new StringBuilder(ref.toASCIIString());
       if (uri.getQuery() != null)
         normalized.append('?').append(uri.getRawQuery());
       if (uri.getFragment() != null)
         normalized.append('#').append(uri.getRawFragment());
       return URI.create(normalized.toString());
     } catch (URISyntaxException e) {
       throw new IllegalArgumentException(e);
     }
   }

And another normalizeSyntax() method in the same class…with a different data type.

   private static String normalizeSyntax(String path) {
     if (!StringUtils.contains(path, "..") && !StringUtils.containsIgnoreCase(path, "..") &&
-      !StringUtils.containsIgnoreCase(path, "%2e%2e"))
+      !StringUtils.containsIgnoreCase(path, "%2e%2e") &&
+      !StringUtils.containsIgnoreCase(path, ".%2e") &&
+      !StringUtils.containsIgnoreCase(path, "%2e."))
       return path;
     String[] inputSegments = path.split("/");
     Stack<String> outputSegments = new Stack<>();
     for (String inputSegment : inputSegments) {
       if (inputSegment.length() != 0 &&
         !".".equals(inputSegment))
-        if ("..".equals(inputSegment) || StringUtils.equalsIgnoreCase("%2e%2e", inputSegment)) {
+        if ("..".equals(inputSegment) || StringUtils.equalsIgnoreCase("%2e%2e", inputSegment) ||
+          StringUtils.equalsIgnoreCase(".%2e", inputSegment) ||
+          StringUtils.equalsIgnoreCase("%2e.", inputSegment)) {
           if (!outputSegments.isEmpty())
             outputSegments.pop();
         } else {
           outputSegments.push(inputSegment);
         }
     }
     StringBuilder outputBuffer = new StringBuilder();
     for (String outputSegment : outputSegments)
       outputBuffer.append('/').append(outputSegment);
     if (path.lastIndexOf('/') == path.length() - 1)
       outputBuffer.append('/');
     return outputBuffer.toString();
   }

The patch adds two new cases to the existing path traversal protection: .%2e and %2e., both partially encoded forms of .., which is used to reference the parent directory in a path traversal attack.

Rapid7 vulnerability research teams believe that this patching methodology may see further bypasses in the future. Developers should take measures to adequately sanitize user input beyond a case-by-case basis.

Guidance

Rapid7 recommends that HPE IMC customers apply the latest patch (50-node product referenced), which is E0705P07 at the time of this writing. This will ensure that they are protected against all known vulnerabilities to date, not only the ones patched in E0705P02.

Vulnerability Affected versions
CVE-2020-24629 – ZDI-CAN-8943 UrlAccessController Authentication Bypass Vulnerability HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24630 – ZDI-CAN-8965 operatorOnlineList_content Privilege Escalation Vulnerability HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24646 – ZDI-CAN-8935 tftpserver Stack-based Buffer Overflow Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24647 – AccessMgrServlet className Input Validation Code Execution Vulnerability HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24648 – ZDI-CAN-8928 AccessMgrServlet className Deserialization of Untrusted Data Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24649 – ByteMessageResource transformEntity” Input Validation Code Execution Vulnerability HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24650 – ZDI-CAN-8963 legend Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24651 – ZDI-CAN-8964 SyslogTempletSelectWin Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-24652 – ZDI-CAN-8967 addVsiInterfaceInfo Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-7141 – ZDI-CAN-8968 addDeviceToView Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-7142 – ZDI-CAN-8971 eventInfo_content Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-7143 – ZDI-CAN-8970 faultDevParasSet Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P02)
CVE-2020-7144 – ZDI-CAN-8966 compareFilesResult Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7145 – ZDI-CAN-8957 choosePerfView Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7146 – ZDI-CAN-8960 devGroupSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7147 – ZDI-CAN-8961 deploySelectBootrom Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7148 – ZDI-CAN-8962 deploySelectSoftware Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7149 – ZDI-CAN-8981 ictExpertCSVDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7150 – ZDI-CAN-8987 faultStatChooseFaultType Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7151 – ZDI-CAN-8988 faultTrapGroupSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7152 – ZDI-CAN-8985 faultParasSet Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7153 – ZDI-CAN-8980 iccSelectDevType Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7154 – ZDI-CAN-8982 ifViewSelectPage Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7155 – ZDI-CAN-8989 select Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7156 – ZDI-CAN-8986 faultInfo_content Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7157 – ZDI-CAN-8991 selViewNavContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7158 – ZDI-CAN-8996 perfSelectTask Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7159 – ZDI-CAN-8959 customTemplateSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7160 – ZDI-CAN-8978 iccSelectDeviceSeries Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7161 – ZDI-CAN-9002 reportTaskSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7162 – ZDI-CAN-8992 operatorGroupSelectContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7163 – ZDI-CAN-8998 navigationTo Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7164 – ZDI-CAN-9003 operationSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7165 – ZDI-CAN-8979 iccSelectCommand Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7166 – ZDI-CAN-8993 operatorGroupTreeSelectContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7167 – ZDI-CAN-8999 quickTemplateSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7168 – ZDI-CAN-9004 selectUserGroup Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7169 – ZDI-CAN-8994 ictExpertCSVDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7170 – ZDI-CAN-8990 select Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7171 – ZDI-CAN-8995 guiDataDetail Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7172 – ZDI-CAN-9000 templateSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7173 – ZDI-CAN-8958 actionSelectContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7174 – ZDI-CAN-9001 soapConfigContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7175 – ZDI-CAN-8977 iccSelectDymicParam Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7176 – ZDI-CAN-9015 viewTaskResultDetailFact Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7177 – ZDI-CAN-9012 wmiConfigContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7178 – ZDI-CAN-8984 mediaForAction Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7179 – ZDI-CAN-9007 thirdPartyPerfSelectTask Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7180 – ZDI-CAN-8983 ictExpertDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7181 – ZDI-CAN-9008 smsRulesDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7182 – ZDI-CAN-9006 sshConfig Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7183 – ZDI-CAN-9011 forwardredirect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7184 – ZDI-CAN-9010 viewBatchTaskResultDetailFact Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7185 – ZDI-CAN-9014 tvxlanLegend Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7186 – ZDI-CAN-9009 powershellConfigContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7187 – ZDI-CAN-8997 reportpage index Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7188 – ZDI-CAN-9013 userSelectPagingContent Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7189 – ZDI-CAN-8974 faultFlashEventSelectFact Expression Language InjectionRemote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7190 – ZDI-CAN-8973 deviceSelect Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7191 – ZDI-CAN-8972 devSoftSel Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7192 – ZDI-CAN-8969 deviceThresholdConfig Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7193 – ZDI-CAN-8976 ictExpertCSVDownload Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7194 – ZDI-CAN-9005 perfAddorModDeviceMonitor Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)
CVE-2020-7195 – ZDI-CAN-8975 iccSelectRules Expression Language Injection Remote Code Execution HPE Intelligent Management Center (IMC) prior to 7.3 (E0705P07)

References