Lucene search

BitdefenderCVE-2023-6320

HistoryApr 09, 2024 - 2:15 p.m.

CVE-2023-6320

2024-04-0914:15:08

CWE-78

Bitdefender

web.nvd.nist.gov

command injection

webos

vulnerability

authenticated requests

dbus user

tv models

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

Percentile

9.6%

JSON

A command injection vulnerability exists in the com.webos.service.connectionmanager/tv/setVlanStaticAddress endpoint on webOS versions 5 and 6. A series of specially crafted requests can lead to command execution as the dbus user. An attacker can make authenticated requests to trigger this vulnerability.

Full versions and TV models affected:

webOS 5.5.0 - 04.50.51 running on OLED55CXPUA
webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "webOS",
    "vendor": "LG",
    "versions": [
      {
        "status": "affected",
        "version": "5.5.0"
      },
      {
        "status": "affected",
        "version": "6.3.3-442"
      }
    ]
  }
]

References

bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/

lgsecurity.lge.com/bulletins/tv#updateDetails

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

7.2

Confidence

Low

EPSS

Percentile

9.6%

JSON

Related for CVE-2023-6320