9.8критическая
CVE-2023-50919
Описание
An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
Затрагиваемое ПО
Gl-inet Gl-ax1800 firmwareGl-inet Gl-ax1800Gl-inet Gl-axt1800 firmwareGl-inet Gl-axt1800Gl-inet Gl-mt3000 firmwareGl-inet Gl-mt3000Gl-inet Gl-mt2500 firmwareGl-inet Gl-mt2500Gl-inet Gl-mt6000 firmwareGl-inet Gl-mt6000Gl-inet Gl-mt1300 firmwareGl-inet Gl-mt1300Gl-inet Gl-mt300n-v2 firmwareGl-inet Gl-mt300n-v2Gl-inet Gl-ar750s firmwareGl-inet Gl-ar750sGl-inet Gl-ar750 firmwareGl-inet Gl-ar750Gl-inet Gl-ar300m firmwareGl-inet Gl-ar300mGl-inet Gl-b1300 firmwareGl-inet Gl-b1300Gl-inet Gl-a1300 firmwareGl-inet Gl-a1300
CVSS
| Балл | 9.8 — критическая |
| Вектор | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Источники
http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.htmlhttps://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass.mdhttp://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.htmlhttps://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass.md