Lucene search

GitHub Advisory DatabaseGHSA-7R88-WJHJ-JR8M

HistoryAug 01, 2023 - 3:30 p.m.

RaspAP Command Injection vulnerability

2023-08-0115:30:30

CWE-77

GitHub Advisory Database

github.com

raspap

command injection

vulnerability

authenticated

attacker

execute

arbitrary os commands

root

entity

post parameters

ajax

networking

get_wgkey.php

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

32.9%

JSON

A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the entity POST parameters in /ajax/networking/get_wgkey.php.

Affected configurations

Vulners

Node

billzraspap-webguiRange2.8.0–2.9.5

VendorProductVersionCPE
billzraspap-webgui*cpe:2.3:a:billz:raspap-webgui:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
billz	raspap-webgui	*	cpe:2.3:a:billz:raspap-webgui::::::::

References

github.com/advisories/GHSA-7r88-wjhj-jr8m

github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.php

github.com/RaspAP/raspap-webgui/commit/e87e7d1d3a61617430851f2a040379de1ff3dd9d

github.com/RaspAP/raspap-webgui/pull/1395

github.com/RaspAP/raspap-webgui/releases/tag/2.9.5

medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2

nvd.nist.gov/vuln/detail/CVE-2022-39987

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

32.9%

JSON

Related for GHSA-7R88-WJHJ-JR8M