CVE-2023-2378

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-2378
A vulnerability was found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. It has been rated as critical. Affected by this issue is some unknown functionality of the component Web Management Interface. The manipulation of the argument suffix-rate-up leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-227654 is the identifier assigned to this vulnerability.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5 /10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
https://github.com/leetsun/IoT/tree/main/EdgeRouterX/CI/4 Exploit Third Party Advisory
https://vuldb.com/?ctiid.227654 Third Party Advisory
https://vuldb.com/?id.227654 Third Party Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:o:ui:er-x_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:-:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix2:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix3:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix4:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix5:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix6:*:*:*:*:*:*
cpe:2.3:h:ui:er-x:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
OR cpe:2.3:o:ui:er-x-sfp_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:-:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix2:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix3:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix4:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix5:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix6:*:*:*:*:*:*
cpe:2.3:h:ui:er-x-sfp:-:*:*:*:*:*:*:*
History

08 May 2023, 14:09

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
References (MISC) https://github.com/leetsun/IoT/tree/main/EdgeRouterX/CI/4 - (MISC) https://github.com/leetsun/IoT/tree/main/EdgeRouterX/CI/4 - Exploit, Third Party Advisory
References (MISC) https://vuldb.com/?id.227654 - (MISC) https://vuldb.com/?id.227654 - Third Party Advisory
References (MISC) https://vuldb.com/?ctiid.227654 - (MISC) https://vuldb.com/?ctiid.227654 - Third Party Advisory
First Time Ui
Ui er-x-sfp Firmware
Ui er-x-sfp
Ui er-x
Ui er-x Firmware
CPE cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:-:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix6:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:-:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix2:*:*:*:*:*:*
cpe:2.3:h:ui:er-x-sfp:-:*:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix4:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix3:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix5:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix6:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix5:*:*:*:*:*:*
cpe:2.3:h:ui:er-x:-:*:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix4:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix2:*:*:*:*:*:*
cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix3:*:*:*:*:*:*
cpe:2.3:o:ui:er-x-sfp_firmware:*:*:*:*:*:*:*:*

28 Apr 2023, 17:06

Type Values Removed Values Added
New CVE
Information

Published : 2023-04-28 16:15

Updated : 2024-04-11 01:19

NVD link : CVE-2023-2378

Mitre link : CVE-2023-2378

CVE.ORG link : CVE-2023-2378

JSON object : View

Products Affected

ui

  • er-x-sfp
  • er-x
  • er-x-sfp_firmware
  • er-x_firmware
CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')