Details of VAR-202308-3086

ID

VAR-202308-3086

CVE

CVE-2023-35720

TITLE

ASUS RT-AX92U lighttpd mod_webdav.so SQL Injection Information Disclosure Vulnerability

Trust: 0.7

sources: ZDI: ZDI-23-1166

DESCRIPTION

ASUS RT-AX92U lighttpd mod_webdav.so SQL Injection Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected ASUS RT-AX92U routers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the mod_webdav.so module. When parsing a request, the process does not properly validate a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to disclose information in the context of root. Was ZDI-CAN-16078

Trust: 1.53

sources: NVD: CVE-2023-35720 // ZDI: ZDI-23-1166

AFFECTED PRODUCTS

vendor:

asus

model:

rt-ax92u

scope:

version:

Trust: 0.7

sources: ZDI: ZDI-23-1166

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-35720
value:	MEDIUM
Trust: 1.0
ZDI:	CVE-2023-35720
value:	MEDIUM
Trust: 0.7

zdi-disclosures@trendmicro.com:	CVE-2023-35720
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 1.0
ZDI:	CVE-2023-35720
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	3.6
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-1166 // NVD: CVE-2023-35720

PROBLEMTYPE DATA

problemtype:

CWE-89

Trust: 1.0

sources: NVD: CVE-2023-35720

PATCH

title:

ASUS has issued an update to correct this vulnerability.

url:

https://www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/aimesh-wifi-routers-and-systems/rt-ax92u/helpdesk_bios/?model2Name=RT-AX92U

Trust: 0.7

sources: ZDI: ZDI-23-1166

EXTERNAL IDS

db:	NVD	id:	CVE-2023-35720	Trust: 1.7
db:	ZDI	id:	ZDI-23-1166	Trust: 1.7
db:	ZDI_CAN	id:	ZDI-CAN-16078	Trust: 0.7

sources: ZDI: ZDI-23-1166 // NVD: CVE-2023-35720

REFERENCES

url:	https://www.asus.com/networking-iot-servers/whole-home-mesh-wifi-system/aimesh-wifi-routers-and-systems/rt-ax92u/helpdesk_bios/?model2name=rt-ax92u	Trust: 1.7
url:	https://www.zerodayinitiative.com/advisories/zdi-23-1166/	Trust: 1.0

sources: ZDI: ZDI-23-1166 // NVD: CVE-2023-35720

CREDITS

Anonymous

Trust: 0.7

sources: ZDI: ZDI-23-1166

SOURCES

db:	ZDI	id:	ZDI-23-1166
db:	NVD	id:	CVE-2023-35720

LAST UPDATE DATE

2024-08-14T15:20:57.989000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-1166	date:	2023-08-23T00:00:00
db:	NVD	id:	CVE-2023-35720	date:	2024-05-03T12:50:34.250

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-1166	date:	2023-08-23T00:00:00
db:	NVD	id:	CVE-2023-35720	date:	2024-05-03T02:15:34.633