Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
jvnJapan Vulnerability NotesJVN:38343415
HistoryJun 27, 2023 - 12:00 a.m.

JVN#38343415: Multiple vulnerabilities in Aterm series

2023-06-2700:00:00
Japan Vulnerability Notes
jvn.jp
15
nec
aterm series
vulnerabilities
directory traversal
cross-site scripting
os command injection
file access
file deletion
workaround
product
firmware
alternative

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

23.6%

JSON

Aterm series provided by NEC Corporation contain multiple vulnerabilities listed below.

Directory traversal (CWE-22) - CVE-2023-3330

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N Base Score: 2.6
CVSS v2 AV:A/AC:M/Au:S/C:P/I:N/A:N Base Score: 2.3

Directory traversal (CWE-22) - CVE-2023-3331

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N Base Score: 2.6
CVSS v2 AV:A/AC:M/Au:S/C:N/I:P/A:N Base Score: 2.3

Stored cross-site scripting (CWE-79) - CVE-2023-3332

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Base Score: 4.3
CVSS v2 AV:A/AC:M/Au:S/C:N/I:P/A:N Base Score: 2.3

OS command injection (CWE-78) - CVE-2023-3333

Version Vector Score
CVSS v3 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8
CVSS v2 A/AC:L/Au:S/C:C/I:C/A:C Base Score: 7.7

Impact

  • An authenticated attacker may obtain specific files in the product - CVE-2023-3330
  • An authenticated attacker may delete specific files in the product - CVE-2023-3331
  • After obtaining a high privilege exploiting CVE-2023-3330 and CVE-2023-3331 vulnerabilities, the attacker may execute an arbitrary script - CVE-2023-3332
  • After obtaining a high privilege exploiting CVE-2023-3330 and CVE-2023-3331 vulnerabilities, the attacker may execute an arbitrary OS command with the root privilege - CVE-2023-3333

Solution

Stop using the products
The affected products are no longer supported. Stop using the vulnerable products and consider switching to alternatives.

Apply a workaround
The developer states there is no plan to provide firmware updates for the affected products, therefore recommends users to apply workarounds to mitigate the impacts of the vulnerabilities before switching to alternatives.

For details, refer to the information provided by the developer.

Products Affected

All versions of following Aterm series are affected by the vulnerabilities.

  • WG2600HP2
  • WG2600HP
  • WG2200HP
  • WG1800HP2
  • WG1800HP
  • WG1400HP
  • WG600HP
  • WG300HP
  • WF300HP
  • WR9500N
  • WR9300N
  • WR8750N
  • WR8700N
  • WR8600N
  • WR8370N
  • WR8175N
  • WR8170N

Related

prion 4
cvelist 4
nvd 4
cve 4
prion
prion
Command injection
2023-06-28 02:15:00
Design/Logic Flaw
2023-06-28 02:15:00
Design/Logic Flaw
2023-06-28 02:15:00
cvelist
cvelist
CVE-2023-3333
2023-06-28 01:33:27
CVE-2023-3332
2023-06-28 01:25:03
CVE-2023-3330
2023-06-28 01:13:03
nvd
nvd
CVE-2023-3333
2023-06-28 02:15:49
CVE-2023-3332
2023-06-28 02:15:49
CVE-2023-3330
2023-06-28 02:15:49
cve
cve
CVE-2023-3332
2023-06-28 02:15:49
CVE-2023-3333
2023-06-28 02:15:49
CVE-2023-3330
2023-06-28 02:15:49

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

23.6%

JSON
Related for JVN:38343415
prion4cvelist4nvd4cve4