Lucene search

ZdiVULNRICHMENT:CVE-2023-27357

HistoryMay 03, 2024 - 1:56 a.m.

CVE-2023-27357 NETGEAR RAX30 GetInfo Missing Authentication Information Disclosure Vulnerability

2024-05-0301:56:09

CWE-306

zdi

github.com

netgear rax30

getinfo

authentication

disclosure

vulnerability

soap requests

zdi-can-19608

6.5 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

16.4%

JSON

NETGEAR RAX30 GetInfo Missing Authentication Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the handling of SOAP requests. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose sensitive information, leading to further compromise. Was ZDI-CAN-19608.

CNA Affected

[
  {
    "vendor": "NETGEAR",
    "product": "RAX30",
    "versions": [
      {
        "version": "1.0.9.90_3",
        "status": "affected"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348

www.zerodayinitiative.com/advisories/ZDI-23-497/

6.5 Medium

CVSS3

Attack Vector

ADJACENT

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.2 Medium

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

16.4%

JSON

Related for VULNRICHMENT:CVE-2023-27357