Lucene search
HistoryJan 10, 2024 - 3:15 a.m.
CVE-2023-31446
cassia gateway
firmware
injection
bash code
sanitization
device startup
root privileges
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
9.6
Confidence
High
EPSS
0.014
Percentile
86.6%
In Cassia Gateway firmware XC1000_2.1.1.2303082218 and XC2000_2.1.1.2303090947, the queueUrl parameter in /bypass/config is not sanitized. This leads to injecting Bash code and executing it with root privileges on device startup.
Affected configurations
Node
cassianetworksxc1000_firmwareMatch2.1.1.2303082218
cassianetworksxc1000Match-
Node
cassianetworksxc2000_firmwareMatch2.1.1.2303090947
cassianetworksxc2000Match-
| Vendor | Product | Version | CPE |
|---|---|---|---|
| cassianetworks | xc1000_firmware | 2.1.1.2303082218 | cpe:2.3:o:cassianetworks:xc1000_firmware:2.1.1.2303082218:*:*:*:*:*:*:* |
| cassianetworks | xc1000 | - | cpe:2.3:h:cassianetworks:xc1000:-:*:*:*:*:*:*:* |
| cassianetworks | xc2000_firmware | 2.1.1.2303090947 | cpe:2.3:o:cassianetworks:xc2000_firmware:2.1.1.2303090947:*:*:*:*:*:*:* |
| cassianetworks | xc2000 | - | cpe:2.3:h:cassianetworks:xc2000:-:*:*:*:*:*:*:* |
Related
cvelist
cvelist
CVE-2023-31446
2024-01-10 00:00:00
nuclei
nuclei
Cassia Gateway Firmware - Remote Code Execution
2024-04-23 08:31:25
cve
cve
CVE-2023-31446
2024-01-10 03:15:43
prion
prion
Code injection
2024-01-10 03:15:00
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
9.6
Confidence
High
EPSS
0.014
Percentile
86.6%
Related for NVD:CVE-2023-31446