An issue was discovered on GL.iNet devices running firmware before 3.216. There is an arbitrary file write in which an empty file can be created almost anywhere on the filesystem, as long as the filename and path is no more than 6 characters (the working directory is /www).
References
Link | Resource |
---|---|
https://github.com/gl-inet/CVE-issues/blob/main/3.215/GL-MV1000_Arbitrary_File_Creation.md | Exploit Third Party Advisory |
https://www.gl-inet.com | Product |
Configurations
History
16 May 2023, 19:42
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-77 | |
CPE | cpe:2.3:o:gl-inet:gl-mv1000w_firmware:*:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-mv1000w:-:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-mv1000:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mv1000_firmware:*:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
First Time |
Gl-inet gl-mv1000 Firmware
Gl-inet gl-mv1000 Gl-inet Gl-inet gl-mv1000w Firmware Gl-inet gl-mv1000w |
|
References | (MISC) https://www.gl-inet.com - Product | |
References | (MISC) https://github.com/gl-inet/CVE-issues/blob/main/3.215/GL-MV1000_Arbitrary_File_Creation.md - Exploit, Third Party Advisory |
09 May 2023, 17:36
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-05-09 16:15
Updated : 2023-12-10 15:01
NVD link : CVE-2023-31476
Mitre link : CVE-2023-31476
CVE.ORG link : CVE-2023-31476
JSON object : View
Products Affected
gl-inet
- gl-mv1000w_firmware
- gl-mv1000_firmware
- gl-mv1000
- gl-mv1000w
CWE
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')