OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference, daemon crash, and Captive Portal outage) via a GET request to /opennds_auth/ that lacks a custom query string parameter and client-token.
References
Configurations
Configuration 1 (hide)
| AND |
|
History
03 Jan 2024, 22:30
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
| First Time |
Sierrawireless lx40
Sierrawireless rv55 Sierrawireless rv50x Sierrawireless mp70 Sierrawireless lx60 Sierrawireless Sierrawireless aleos |
|
| CPE | cpe:2.3:h:sierrawireless:lx40:-:*:*:*:*:*:*:* cpe:2.3:o:sierrawireless:aleos:*:*:*:*:*:*:*:* cpe:2.3:h:sierrawireless:rv50x:-:*:*:*:*:*:*:* cpe:2.3:h:sierrawireless:mp70:-:*:*:*:*:*:*:* cpe:2.3:h:sierrawireless:rv55:-:*:*:*:*:*:*:* cpe:2.3:h:sierrawireless:lx60:-:*:*:*:*:*:*:* |
|
| CWE | CWE-476 | |
| References | () https://github.com/openNDS/openNDS/blob/master/ChangeLog - Release Notes | |
| References | () https://openwrt.org/docs/guide-user/services/captive-portal/opennds - Product | |
| References | () https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx - Vendor Advisory |
26 Dec 2023, 20:34
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
25 Dec 2023, 09:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-12-25 09:15
Updated : 2024-01-03 22:30
NVD link : CVE-2023-38321
Mitre link : CVE-2023-38321
CVE.ORG link : CVE-2023-38321
JSON object : View
Products Affected
sierrawireless
- aleos
- lx60
- rv55
- rv50x
- lx40
- mp70
CWE
CWE-476
NULL Pointer Dereference