Lucene search

TalosCVE-2023-39367

HistoryApr 17, 2024 - 1:15 p.m.

CVE-2023-39367

2024-04-1713:15:06

CWE-78

talos

web.nvd.nist.gov

vulnerability

web interface

mac2name functionality

arbitrary command execution

http request

peplink smart reader

qemu

authenticated

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

20.4%

JSON

An OS command injection vulnerability exists in the web interface mac2name functionality of Peplink Smart Reader v1.2.0 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Affected configurations

Vulners

Vulnrichment

Node

peplinksmart_readerRange≤v1.2.0 (in QEMU)

VendorProductVersionCPE
peplinksmart_reader*cpe:2.3:a:peplink:smart_reader:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
peplink	smart_reader	*	cpe:2.3:a:peplink:smart_reader::::::::

CNA Affected

[
  {
    "vendor": "Peplink",
    "product": "Smart Reader",
    "versions": [
      {
        "version": "v1.2.0 (in QEMU)",
        "status": "affected"
      }
    ]
  }
]

References

forum.peplink.com/t/peplink-security-advisory-smart-reader-firmware-1-2-0-cve-2023-43491-cve-2023-45209-cve-2023-39367-cve-2023-45744-cve-2023-40146/47256

talosintelligence.com/vulnerability_reports/TALOS-2023-1867

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

7.1

Confidence

Low

EPSS

0.001

Percentile

20.4%

JSON

Related for CVE-2023-39367