GSD-2023-25643
Vulnerability from gsd - Updated: 2023-12-13 01:20Details
There is a command injection vulnerability in some ZTE mobile internet products. Due to insufficient input validation of multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-25643",
"id": "GSD-2023-25643"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2023-25643"
],
"details": "\n\n\nThere is a command injection vulnerability in some ZTE mobile internet\u00a0products. Due to insufficient input\u00a0validation of\u00a0multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.\n\n\n\n",
"id": "GSD-2023-25643",
"modified": "2023-12-13T01:20:40.862760Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "psirt@zte.com.cn",
"ID": "CVE-2023-25643",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "MC801A",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "MC801A_Elisa3_B19",
"version_value": "B19"
}
]
}
},
{
"product_name": "MC801A1",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "MC801A1_Elisa1_B04",
"version_value": "B04"
}
]
}
}
]
},
"vendor_name": "ZTE"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "\n\n\nThere is a command injection vulnerability in some ZTE mobile internet\u00a0products. Due to insufficient input\u00a0validation of\u00a0multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.\n\n\n\n"
}
]
},
"generator": {
"engine": "Vulnogram 0.1.0-dev"
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-77",
"lang": "eng",
"value": "CWE-77 Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032504",
"refsource": "MISC",
"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032504"
}
]
},
"solution": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMC801A_Elisa3_B22,\u0026nbsp;\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eMC801A1_Elisa1_B06\u003c/span\u003e\n\n\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "\nMC801A_Elisa3_B22,\u00a0\n\nMC801A1_Elisa1_B06\n\n\n"
}
],
"source": {
"discovery": "UNKNOWN"
}
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:zte:mc801a_firmware:mc801a_elisa3_b19:*:*:*:*:*:*:*",
"matchCriteriaId": "26E81BDF-7249-4834-BE1A-F59972F3D4CE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:zte:mc801a:-:*:*:*:*:*:*:*",
"matchCriteriaId": "DC8126B4-CBCF-4616-886B-E50C089D2F6B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:zte:mc801a1_firmware:mc801a1_elisa1_b04:*:*:*:*:*:*:*",
"matchCriteriaId": "5AE44916-2BFF-44C9-B434-DC47473E3E1A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:zte:mc801a1:-:*:*:*:*:*:*:*",
"matchCriteriaId": "CE626E17-D246-4A9C-8B2C-08F7760118B8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"descriptions": [
{
"lang": "en",
"value": "\n\n\nThere is a command injection vulnerability in some ZTE mobile internet\u00a0products. Due to insufficient input\u00a0validation of\u00a0multiple network parameters, an authenticated attacker could use the vulnerability to execute arbitrary commands.\n\n\n\n"
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de inyecci\u00f3n de comandos en algunos productos de internet m\u00f3vil de ZTE. Debido a una validaci\u00f3n de entrada insuficiente de m\u00faltiples par\u00e1metros de red, un atacante autenticado podr\u00eda utilizar la vulnerabilidad para ejecutar comandos arbitrarios."
}
],
"id": "CVE-2023-25643",
"lastModified": "2023-12-18T20:09:13.630",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.7,
"impactScore": 6.0,
"source": "psirt@zte.com.cn",
"type": "Secondary"
}
]
},
"published": "2023-12-14T08:15:38.357",
"references": [
{
"source": "psirt@zte.com.cn",
"tags": [
"Vendor Advisory"
],
"url": "https://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1032504"
}
],
"sourceIdentifier": "psirt@zte.com.cn",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "psirt@zte.com.cn",
"type": "Secondary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…