Sign-up

ID

VAR-202305-0900


CVE

CVE-2023-2649


TITLE

Tenda AC23 Command Injection Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2023-45447 // CNNVD: CNNVD-202305-1018

DESCRIPTION

A vulnerability was found in Tenda AC23 16.03.07.45_cn. It has been declared as critical. This vulnerability affects unknown code of the file /bin/ate of the component Service Port 7329. The manipulation of the argument v2 leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-228778 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. of ac23 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. The vulnerability stems from the fact that the parameter v2 of the file /bin/ate fails to properly filter special characters and commands in the construction command. Attackers can use this vulnerability to cause arbitrary command execution

Trust: 2.25

sources: NVD: CVE-2023-2649 // JVNDB: JVNDB-2023-010293 // CNVD: CNVD-2023-45447 // VULMON: CVE-2023-2649

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2023-45447

AFFECTED PRODUCTS

vendor:tendamodel:ac23scope:eqversion:16.03.07.45_cn

Trust: 1.0

vendor:tendamodel:ac23scope:eqversion:ac23 firmware 16.03.07.45 cn

Trust: 0.8

vendor:tendamodel:ac23scope:eqversion: -

Trust: 0.8

vendor:tendamodel:ac23scope: - version: -

Trust: 0.8

vendor:jixiang tengdamodel:ac23 16.03.07.45 cnscope: - version: -

Trust: 0.6

sources: CNVD: CNVD-2023-45447 // JVNDB: JVNDB-2023-010293 // NVD: CVE-2023-2649

CVSS

SEVERITY

CVSSV2

CVSSV3

cna@vuldb.com: CVE-2023-2649
value: HIGH

Trust: 1.0

nvd@nist.gov: CVE-2023-2649
value: HIGH

Trust: 1.0

NVD: CVE-2023-2649
value: HIGH

Trust: 0.8

CNVD: CNVD-2023-45447
value: HIGH

Trust: 0.6

CNNVD: CNNVD-202305-1018
value: HIGH

Trust: 0.6

cna@vuldb.com: CVE-2023-2649
severity: HIGH
baseScore: 8.3
vectorString: AV:N/AC:L/AU:M/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.0

CNVD: CNVD-2023-45447
severity: HIGH
baseScore: 9.0
vectorString: AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

cna@vuldb.com: CVE-2023-2649
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.1

Trust: 1.0

nvd@nist.gov: CVE-2023-2649
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-2649
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2023-45447 // JVNDB: JVNDB-2023-010293 // CNNVD: CNNVD-202305-1018 // NVD: CVE-2023-2649 // NVD: CVE-2023-2649

PROBLEMTYPE DATA

problemtype:CWE-77

Trust: 1.0

problemtype:Command injection (CWE-77) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-010293 // NVD: CVE-2023-2649

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202305-1018

TYPE

command injection

Trust: 0.6

sources: CNNVD: CNNVD-202305-1018

EXTERNAL IDS

db:NVDid:CVE-2023-2649

Trust: 3.9

db:VULDBid:228778

Trust: 2.5

db:JVNDBid:JVNDB-2023-010293

Trust: 0.8

db:CNVDid:CNVD-2023-45447

Trust: 0.6

db:CNNVDid:CNNVD-202305-1018

Trust: 0.6

db:VULMONid:CVE-2023-2649

Trust: 0.1

sources: CNVD: CNVD-2023-45447 // VULMON: CVE-2023-2649 // JVNDB: JVNDB-2023-010293 // CNNVD: CNNVD-202305-1018 // NVD: CVE-2023-2649

REFERENCES

url:https://vuldb.com/?ctiid.228778

Trust: 3.1

url:https://github.com/xinzhihen06/ac23tenda/blob/main/tendaac23.md

Trust: 2.5

url:https://vuldb.com/?id.228778

Trust: 2.5

url:https://nvd.nist.gov/vuln/detail/cve-2023-2649

Trust: 0.8

url:https://cxsecurity.com/cveshow/cve-2023-2649/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/77.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

sources: CNVD: CNVD-2023-45447 // VULMON: CVE-2023-2649 // JVNDB: JVNDB-2023-010293 // CNNVD: CNNVD-202305-1018 // NVD: CVE-2023-2649

SOURCES

db:CNVDid:CNVD-2023-45447
db:VULMONid:CVE-2023-2649
db:JVNDBid:JVNDB-2023-010293
db:CNNVDid:CNNVD-202305-1018
db:NVDid:CVE-2023-2649

LAST UPDATE DATE

2024-08-14T15:26:37.679000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2023-45447date:2023-06-09T00:00:00
db:VULMONid:CVE-2023-2649date:2023-05-11T00:00:00
db:JVNDBid:JVNDB-2023-010293date:2023-12-08T05:33:00
db:CNNVDid:CNNVD-202305-1018date:2023-05-22T00:00:00
db:NVDid:CVE-2023-2649date:2024-05-17T02:23:07.263

SOURCES RELEASE DATE

db:CNVDid:CNVD-2023-45447date:2023-06-09T00:00:00
db:VULMONid:CVE-2023-2649date:2023-05-11T00:00:00
db:JVNDBid:JVNDB-2023-010293date:2023-12-08T00:00:00
db:CNNVDid:CNNVD-202305-1018date:2023-05-11T00:00:00
db:NVDid:CVE-2023-2649date:2023-05-11T08:15:08.843