cvelistv5 - CVE-2023-32137

CVE-2023-32137

Vulnerability from cvelistv5

Published
2024-05-03 01:56
Modified
2024-09-18 18:28
Severity ?
4.3 (Medium) - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
D-Link DAP-1360 webproc WEB_DisplayPage Directory Traversal Information Disclosure Vulnerability
References
▼	URL	Tags
	zdi-disclosures@trendmicro.com	https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10324
	zdi-disclosures@trendmicro.com	https://www.zerodayinitiative.com/advisories/ZDI-23-529/
Impacted products
▼	Vendor	Product
	D-Link	DAP-1360
Show details on NVD website
JSON
To clipboard
{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:h:d-link:dap-1360f1_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dap-1360f1_firmware",
            "vendor": "d-link",
            "versions": [
              {
                "lessThanOrEqual": "6.14b01",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:h:d-link:dap-2020_firmware:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dap-2020_firmware",
            "vendor": "d-link",
            "versions": [
              {
                "lessThanOrEqual": "1.03b01",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32137",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-06T15:02:05.102361Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-06T15:10:19.566Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:03:29.167Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "ZDI-23-529",
            "tags": [
              "x_research-advisory",
              "x_transferred"
            ],
            "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-529/"
          },
          {
            "name": "vendor-provided URL",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10324"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "DAP-1360",
          "vendor": "D-Link",
          "versions": [
            {
              "status": "affected",
              "version": "6.14B01 EU HOTFIX"
            }
          ]
        }
      ],
      "dateAssigned": "2023-05-03T15:16:42.934-05:00",
      "datePublic": "2023-05-04T17:14:37.774-05:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "D-Link DAP-1360 webproc WEB_DisplayPage Directory Traversal Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-1360 routers. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of requests to the /cgi-bin/webproc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root.\n. Was ZDI-CAN-18415."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-09-18T18:28:07.536Z",
        "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "shortName": "zdi"
      },
      "references": [
        {
          "name": "ZDI-23-529",
          "tags": [
            "x_research-advisory"
          ],
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-529/"
        },
        {
          "name": "vendor-provided URL",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10324"
        }
      ],
      "source": {
        "lang": "en",
        "value": "Anonymous"
      },
      "title": "D-Link DAP-1360 webproc WEB_DisplayPage Directory Traversal Information Disclosure Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
    "assignerShortName": "zdi",
    "cveId": "CVE-2023-32137",
    "datePublished": "2024-05-03T01:56:24.719Z",
    "dateReserved": "2023-05-03T20:10:47.058Z",
    "dateUpdated": "2024-09-18T18:28:07.536Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32137\",\"sourceIdentifier\":\"zdi-disclosures@trendmicro.com\",\"published\":\"2024-05-03T02:15:17.040\",\"lastModified\":\"2024-09-18T19:15:20.510\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"D-Link DAP-1360 webproc WEB_DisplayPage Directory Traversal Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of D-Link DAP-1360 routers. Authentication is not required to exploit this vulnerability.\\n\\nThe specific flaw exists within the handling of requests to the /cgi-bin/webproc endpoint. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of root.\\n. Was ZDI-CAN-18415.\"},{\"lang\":\"es\",\"value\":\"D-Link DAP-1360 webproc WEB_DisplayPage Vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n Directory Traversal. Esta vulnerabilidad permite a atacantes adyacentes a la red revelar informaci\u00f3n confidencial sobre las instalaciones afectadas de los enrutadores D-Link DAP-1360. No se requiere autenticaci\u00f3n para aprovechar esta vulnerabilidad. La falla espec\u00edfica existe en el manejo de solicitudes al endpoint /cgi-bin/webproc. El problema se debe a la falta de validaci\u00f3n adecuada de una ruta proporcionada por el usuario antes de usarla en operaciones de archivos. Un atacante puede aprovechar esta vulnerabilidad para revelar informaci\u00f3n en el contexto de la ra\u00edz. Era ZDI-CAN-18415.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"zdi-disclosures@trendmicro.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"ADJACENT_NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"zdi-disclosures@trendmicro.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10324\",\"source\":\"zdi-disclosures@trendmicro.com\"},{\"url\":\"https://www.zerodayinitiative.com/advisories/ZDI-23-529/\",\"source\":\"zdi-disclosures@trendmicro.com\"}]}}"
  }
}
Action not permitted

CVE-2023-32137

Vulnerability from cvelistv5

var-202305-0219

Vulnerability from variot

gsd-2023-32137

Vulnerability from gsd

ghsa-rc8x-5fp8-vfmj

Vulnerability from github

Tags
