ID

VAR-202304-0279


CVE

CVE-2023-20124


TITLE

Command injection vulnerabilities in multiple Cisco Systems products

Trust: 0.8

sources: JVNDB: JVNDB-2023-006871

DESCRIPTION

A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow an authenticated, remote attacker to execute arbitrary commands on an affected device. This vulnerability is due to improper validation of user input within incoming HTTP packets. An attacker could exploit this vulnerability by sending a crafted HTTP request to the web-based management interface. A successful exploit could allow the attacker to gain root-level privileges and access unauthorized data. To exploit this vulnerability, an attacker would need to have valid administrative credentials on the affected device. Cisco has not released software updates that address this vulnerability. RV016 Multi-WAN VPN firmware, RV042 Dual WAN VPN firmware, RV042G Dual Gigabit WAN VPN Command injection vulnerabilities exist in multiple Cisco Systems products, including firmware.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2023-20124 // JVNDB: JVNDB-2023-006871 // VULMON: CVE-2023-20124

AFFECTED PRODUCTS

vendor:ciscomodel:rv082scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:rv325scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:rv042scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:rv016scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:rv320scope:eqversion: -

Trust: 1.0

vendor:ciscomodel:rv042gscope:eqversion: -

Trust: 1.0

vendor:シスコシステムズmodel:rv042g dual gigabit wan vpnscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv016 multi-wan vpnscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv082 dual wan vpnscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco rv325 dual gigabit wan vpn ルータscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:cisco rv320 dual gigabit wan vpn ルータscope: - version: -

Trust: 0.8

vendor:シスコシステムズmodel:rv042 dual wan vpnscope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2023-006871 // NVD: CVE-2023-20124

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2023-20124
value: HIGH

Trust: 1.0

ykramarz@cisco.com: CVE-2023-20124
value: MEDIUM

Trust: 1.0

NVD: CVE-2023-20124
value: HIGH

Trust: 0.8

CNNVD: CNNVD-202304-330
value: HIGH

Trust: 0.6

nvd@nist.gov: CVE-2023-20124
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

ykramarz@cisco.com: CVE-2023-20124
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: NONE
exploitabilityScore: 1.2
impactScore: 5.2
version: 3.1

Trust: 1.0

NVD: CVE-2023-20124
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: JVNDB: JVNDB-2023-006871 // CNNVD: CNNVD-202304-330 // NVD: CVE-2023-20124 // NVD: CVE-2023-20124

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:Command injection (CWE-77) [NVD evaluation ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-006871 // NVD: CVE-2023-20124

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202304-330

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202304-330

PATCH

title:cisco-sa-sb-rv01x_rv32x_rce-nzAGWWDDurl:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sb-rv01x_rv32x_rce-nzAGWWDD

Trust: 0.8

title:Cisco Small Business Fixes for command injection vulnerabilitiesurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=233028

Trust: 0.6

title:Cisco: Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Remote Command Execution Vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=cisco_security_advisories_and_alerts_ciscoproducts&qid=cisco-sa-sb-rv01x_rv32x_rce-nzAGWWDD

Trust: 0.1

sources: VULMON: CVE-2023-20124 // JVNDB: JVNDB-2023-006871 // CNNVD: CNNVD-202304-330

EXTERNAL IDS

db:NVDid:CVE-2023-20124

Trust: 3.3

db:JVNDBid:JVNDB-2023-006871

Trust: 0.8

db:AUSCERTid:ESB-2023.2024

Trust: 0.6

db:CNNVDid:CNNVD-202304-330

Trust: 0.6

db:VULMONid:CVE-2023-20124

Trust: 0.1

sources: VULMON: CVE-2023-20124 // JVNDB: JVNDB-2023-006871 // CNNVD: CNNVD-202304-330 // NVD: CVE-2023-20124

REFERENCES

url:https://sec.cloudapps.cisco.com/security/center/content/ciscosecurityadvisory/cisco-sa-sb-rv01x_rv32x_rce-nzagwwdd

Trust: 1.8

url:https://nvd.nist.gov/vuln/detail/cve-2023-20124

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-20124/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.2024

Trust: 0.6

url:https://nvd.nist.gov

Trust: 0.1

sources: VULMON: CVE-2023-20124 // JVNDB: JVNDB-2023-006871 // CNNVD: CNNVD-202304-330 // NVD: CVE-2023-20124

SOURCES

db:VULMONid:CVE-2023-20124
db:JVNDBid:JVNDB-2023-006871
db:CNNVDid:CNNVD-202304-330
db:NVDid:CVE-2023-20124

LAST UPDATE DATE

2024-08-14T14:01:58.097000+00:00


SOURCES UPDATE DATE

db:VULMONid:CVE-2023-20124date:2023-04-05T00:00:00
db:JVNDBid:JVNDB-2023-006871date:2023-11-16T07:39:00
db:CNNVDid:CNNVD-202304-330date:2023-04-12T00:00:00
db:NVDid:CVE-2023-20124date:2023-11-07T04:06:07.280

SOURCES RELEASE DATE

db:VULMONid:CVE-2023-20124date:2023-04-05T00:00:00
db:JVNDBid:JVNDB-2023-006871date:2023-11-16T00:00:00
db:CNNVDid:CNNVD-202304-330date:2023-04-05T00:00:00
db:NVDid:CVE-2023-20124date:2023-04-05T18:15:07.590