Lucene search

GoogleOSV:GHSA-7R88-WJHJ-JR8M

HistoryAug 01, 2023 - 3:30 p.m.

RaspAP Command Injection vulnerability

2023-08-0115:30:30

Google

osv.dev

raspap

command injection

vulnerability

authenticated attacker

arbitrary os commands

root

post parameters

networking

get_wgkey.php

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

32.9%

JSON

A Command injection vulnerability in RaspAP 2.8.0 thru 2.9.2 allows an authenticated attacker to execute arbitrary OS commands as root via the entity POST parameters in /ajax/networking/get_wgkey.php.

References

github.com/RaspAP/raspap-webgui

github.com/RaspAP/raspap-webgui/blob/master/ajax/networking/get_wgkey.php

github.com/RaspAP/raspap-webgui/commit/e87e7d1d3a61617430851f2a040379de1ff3dd9d

github.com/RaspAP/raspap-webgui/pull/1395

github.com/RaspAP/raspap-webgui/releases/tag/2.9.5

medium.com/@ismael0x00/multiple-vulnerabilities-in-raspap-3c35e78809f2

nvd.nist.gov/vuln/detail/CVE-2022-39987

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

32.9%

JSON

Related for OSV:GHSA-7R88-WJHJ-JR8M