CVE-2023-33238

TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. This vulnerability stems from inadequate input validation in the certificate management function, which could potentially allow malicious users to execute remote code on affected devices.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:moxa:tn-5900_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:tn-5900:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:moxa:tn-4900_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:moxa:tn-4900:-:*:*:*:*:*:*:*

History

22 Aug 2023, 19:10

Type	Values Removed	Values Added
CPE		cpe:2.3:o:moxa:tn-5900_firmware:::::::: cpe:2.3:o:moxa:tn-4900_firmware:::::::: cpe:2.3:h:moxa:tn-4900:-:::::::* cpe:2.3:h:moxa:tn-5900:-:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
CWE		CWE-77
First Time		Moxa tn-5900 Moxa tn-4900 Moxa tn-5900 Firmware Moxa Moxa tn-4900 Firmware
References	~~(MISC) https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities -~~	(MISC) https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities - Patch, Vendor Advisory

17 Aug 2023, 03:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-17 03:15

Updated : 2023-12-10 15:14

NVD link : CVE-2023-33238

Mitre link : CVE-2023-33238

CVE.ORG link : CVE-2023-33238

JSON object : View

Products Affected

moxa

tn-4900_firmware
tn-5900_firmware
tn-4900
tn-5900

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2023-33238", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "psirt@moxa.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2023-08-17T03:15:09.377", "references": [{"url": "https://www.moxa.com/en/support/product-support/security-advisory/mpsa-230402-tn-5900-and-tn-4900-series-web-server-multiple-vulnerabilities", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@moxa.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-77"}]}, {"type": "Secondary", "source": "psirt@moxa.com", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "TN-4900 Series firmware versions v1.2.4 and prior and TN-5900 Series firmware versions v3.3 and prior are vulnerable to the command injection vulnerability. This vulnerability stems from inadequate input validation in the certificate management function, which could potentially allow malicious users to execute remote code on affected devices.\n\n"}], "lastModified": "2023-08-22T19:10:24.183", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:tn-5900_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ABA65A45-A850-440B-8B4B-191D46059E71", "versionEndIncluding": "3.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:tn-5900:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7D1E9F45-0ED4-4223-BC9B-D2E01A583DCA"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:moxa:tn-4900_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "442E0C68-A369-4079-86CC-0E63408C48E7", "versionEndIncluding": "1.2.4"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:moxa:tn-4900:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "56CD9ADD-E963-42F4-A2E5-175A0D2EE8D0"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@moxa.com"}