CVE-2023-50445
28.12.2023, 05:15
Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.
| Vendor | Product | Version |
|---|---|---|
| gl-inet | gl-mt1300_firmware | 4.3.7 |
| gl-inet | gl-mt300n-v2_firmware | 4.3.7 |
| gl-inet | gl-ar750s_firmware | 4.3.7 |
| gl-inet | gl-ar750_firmware | 4.3.7 |
| gl-inet | gl-ar300m_firmware | 4.3.7 |
| gl-inet | gl-b1300_firmware | 4.3.7 |
| gl-inet | gl-mt6000_firmware | 4.5.0 |
| gl-inet | gl-a1300_firmware | 4.4.6 |
| gl-inet | gl-ax1800_firmware | 4.4.6 |
| gl-inet | gl-axt1800_firmware | 4.4.6 |
| gl-inet | gl-mt3000_firmware | 4.4.6 |
| gl-inet | gl-mt2500_firmware | 4.4.6 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
References