Lucene search

Japan Vulnerability NotesJVN:34232595

HistoryJun 09, 2023 - 12:00 a.m.

JVN#34232595: ASUS Router RT-AX3000 vulnerable to using sensitive cookies without 'Secure' attribute

2023-06-0900:00:00

Japan Vulnerability Notes

jvn.jp

asus router

rt-ax3000

sensitive cookies

secure attribute

cwe-614

firmware update

man-in-the-middle

session hijacking

data security

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

48.1%

JSON

ASUS Router RT-AX3000 provided by ASUSTeK COMPUTER INC. uses sensitive cookies without ‘Secure’ attribute (CWE-614).

Impact

When an attacker is in a position to be able to mount a man-in-the-middle attack, and a user is tricked to log into the affected device through an unencrypted (‘http’) connection, the user’s session may be hijacked.

Solution

Update the firmware
Update the firmware to the latest version according to the information provided by the developer.

Products Affected

ASUS Router RT-AX3000 Firmware versions prior to 3.0.0.4.388.23403

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

48.1%

JSON

Related for JVN:34232595