Lucene search

[email protected]NVD:CVE-2024-38270

HistorySep 10, 2024 - 2:15 a.m.

CVE-2024-38270

2024-09-1002:15:09

CWE-331

[email protected]

web.nvd.nist.gov

vulnerability

zyxel

gs1900-10hp

firmware

entropy

authentication

tokens

lan-based

attacker

session

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

21.3%

JSON

An insufficient entropy vulnerability caused by the improper use of a randomness function with low entropy for web authentication tokens generation exists in the Zyxel GS1900-10HP firmware version V2.80(AAZI.0)C0. This vulnerability could allow a LAN-based attacker a slight chance to gain a valid session token if multiple authenticated sessions are alive.

Affected configurations

Nvd

Node

zyxelgs1900-48hpv2_firmwareRange<2.80\(abtq.1\)c0

AND

zyxelgs1900-48hpv2Match-

Node

zyxelgs1900-48_firmwareRange<2.80\(aahn.1\)c0

AND

zyxelgs1900-48Match-

Node

zyxelgs1900-24hpv2_firmwareRange<2.80\(abtp.1\)c0

AND

zyxelgs1900-24hpv2Match-

Node

zyxelgs1900-24ep_firmwareRange<2.80\(abto.1\)c0

AND

zyxelgs1900-24epMatch-

Node

zyxelgs1900-24e_firmwareRange≤2.80\(aahk.1\)c0

AND

zyxelgs1900-24eMatch-

Node

zyxelgs1900-24_firmwareRange≤2.80\(aahl.1\)c0

AND

zyxelgs1900-24Match-

Node

zyxelgs1900-16_firmwareRange<2.80\(aahj.1\)c0

AND

zyxelgs1900-16Match-

Node

zyxelgs1900-10hp_firmwareRange<2.80\(aazi.1\)c0

AND

zyxelgs1900-10hpMatch-

Node

zyxelgs1900-8hp_firmwareRange<2.80\(aahi.1\)c0

AND

zyxelgs1900-8hpMatch-

Node

zyxelgs1900-8_firmwareRange<2.80\(aahh.1\)c0

AND

zyxelgs1900-8Match-

VendorProductVersionCPE
zyxelgs1900-48hpv2_firmware*cpe:2.3:o:zyxel:gs1900-48hpv2_firmware:*:*:*:*:*:*:*:*
zyxelgs1900-48hpv2-cpe:2.3:h:zyxel:gs1900-48hpv2:-:*:*:*:*:*:*:*
zyxelgs1900-48_firmware*cpe:2.3:o:zyxel:gs1900-48_firmware:*:*:*:*:*:*:*:*
zyxelgs1900-48-cpe:2.3:h:zyxel:gs1900-48:-:*:*:*:*:*:*:*
zyxelgs1900-24hpv2_firmware*cpe:2.3:o:zyxel:gs1900-24hpv2_firmware:*:*:*:*:*:*:*:*
zyxelgs1900-24hpv2-cpe:2.3:h:zyxel:gs1900-24hpv2:-:*:*:*:*:*:*:*
zyxelgs1900-24ep_firmware*cpe:2.3:o:zyxel:gs1900-24ep_firmware:*:*:*:*:*:*:*:*
zyxelgs1900-24ep-cpe:2.3:h:zyxel:gs1900-24ep:-:*:*:*:*:*:*:*
zyxelgs1900-24e_firmware*cpe:2.3:o:zyxel:gs1900-24e_firmware:*:*:*:*:*:*:*:*
zyxelgs1900-24e-cpe:2.3:h:zyxel:gs1900-24e:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
zyxel	gs1900-48hpv2_firmware	*	cpe:2.3:o:zyxel:gs1900-48hpv2_firmware::::::::
zyxel	gs1900-48hpv2	-	cpe:2.3:h:zyxel:gs1900-48hpv2:-:::::::*
zyxel	gs1900-48_firmware	*	cpe:2.3:o:zyxel:gs1900-48_firmware::::::::
zyxel	gs1900-48	-	cpe:2.3:h:zyxel:gs1900-48:-:::::::*
zyxel	gs1900-24hpv2_firmware	*	cpe:2.3:o:zyxel:gs1900-24hpv2_firmware::::::::
zyxel	gs1900-24hpv2	-	cpe:2.3:h:zyxel:gs1900-24hpv2:-:::::::*
zyxel	gs1900-24ep_firmware	*	cpe:2.3:o:zyxel:gs1900-24ep_firmware::::::::
zyxel	gs1900-24ep	-	cpe:2.3:h:zyxel:gs1900-24ep:-:::::::*
zyxel	gs1900-24e_firmware	*	cpe:2.3:o:zyxel:gs1900-24e_firmware::::::::
zyxel	gs1900-24e	-	cpe:2.3:h:zyxel:gs1900-24e:-:::::::*

Rows per page:

1-10 of 201

References

www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-insufficient-entropy-vulnerability-for-web-authentication-tokens-generation-in-gs1900-series-switches-09-10-2024

CVSS3

6.5

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

21.3%

JSON

Related for NVD:CVE-2024-38270

cvelist1 vulnrichment1 cve1