Lucene search

IcscertCVELIST:CVE-2023-32350

HistoryMay 22, 2023 - 3:14 p.m.

CVE-2023-32350

2023-05-2215:14:57

CWE-78

icscert

www.cve.org

teltonika

rut router

firmware

os command injection

lua service

parameter

vulnerability

package name

malicious

payload

cve-2023-32350

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

30.7%

JSON

Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead providing a package with a malicious name that contains an OS command injection payload.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "RUT model routers",
    "vendor": "Teltonika",
    "versions": [
      {
        "lessThanOrEqual": "00.07.03",
        "status": "affected",
        "version": "00.07.00",
        "versionType": "custom"
      }
    ]
  }
]

References

www.cisa.gov/news-events/ics-advisories/icsa-23-131-08

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.001

Percentile

30.7%

JSON

Related for CVELIST:CVE-2023-32350