Sign-up

ID

VAR-202308-3502


CVE

CVE-2023-41182


TITLE

of netgear  ProSAFE Network Management System  Past traversal vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2023-028105

DESCRIPTION

NETGEAR ProSAFE Network Management System ZipUtils Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the ZipUtils class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-19716. (DoS) It may be in a state

Trust: 2.88

sources: NVD: CVE-2023-41182 // JVNDB: JVNDB-2023-028105 // ZDI: ZDI-23-1284 // CNVD: CNVD-2024-33902 // VULMON: CVE-2023-41182

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2024-33902

AFFECTED PRODUCTS

vendor:netgearmodel:prosafe network management systemscope:ltversion:1.7.0.20

Trust: 1.0

vendor:ネットギアmodel:prosafe network management systemscope: - version: -

Trust: 0.8

vendor:ネットギアmodel:prosafe network management systemscope:eqversion: -

Trust: 0.8

vendor:ネットギアmodel:prosafe network management systemscope:eqversion:1.7.0.20

Trust: 0.8

vendor:netgearmodel:prosafe network management systemscope: - version: -

Trust: 0.7

vendor:netgearmodel:prosafescope: - version: -

Trust: 0.6

sources: ZDI: ZDI-23-1284 // CNVD: CNVD-2024-33902 // JVNDB: JVNDB-2023-028105 // NVD: CVE-2023-41182

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com: CVE-2023-41182
value: HIGH

Trust: 1.0

nvd@nist.gov: CVE-2023-41182
value: HIGH

Trust: 1.0

NVD: CVE-2023-41182
value: HIGH

Trust: 0.8

ZDI: CVE-2023-41182
value: HIGH

Trust: 0.7

CNVD: CNVD-2024-33902
value: HIGH

Trust: 0.6

CNVD: CNVD-2024-33902
severity: HIGH
baseScore: 8.3
vectorString: AV:N/AC:L/AU:M/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: MULTIPLE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 6.4
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

zdi-disclosures@trendmicro.com: CVE-2023-41182
baseSeverity: HIGH
baseScore: 7.2
vectorString: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.0

Trust: 1.0

nvd@nist.gov: CVE-2023-41182
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.1

Trust: 1.0

NVD: CVE-2023-41182
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

ZDI: CVE-2023-41182
baseSeverity: HIGH
baseScore: 7.2
vectorString: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: HIGH
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.2
impactScore: 5.9
version: 3.0

Trust: 0.7

sources: ZDI: ZDI-23-1284 // CNVD: CNVD-2024-33902 // JVNDB: JVNDB-2023-028105 // NVD: CVE-2023-41182 // NVD: CVE-2023-41182

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.0

problemtype:Path traversal (CWE-22) [ others ]

Trust: 0.8

sources: JVNDB: JVNDB-2023-028105 // NVD: CVE-2023-41182

PATCH

title:NETGEAR has issued an update to correct this vulnerability.url:https://kb.netgear.com/000065705/Security-Advisory-for-Post-authentication-Command-Injection-on-the-Prosafe-Network-Management-System-PSV-2023-0037

Trust: 0.7

title:Patch for NETGEAR ProSAFE Directory Traversal Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/574116

Trust: 0.6

sources: ZDI: ZDI-23-1284 // CNVD: CNVD-2024-33902

EXTERNAL IDS

db:NVDid:CVE-2023-41182

Trust: 4.0

db:ZDIid:ZDI-23-1284

Trust: 2.6

db:JVNDBid:JVNDB-2023-028105

Trust: 0.8

db:ZDI_CANid:ZDI-CAN-19716

Trust: 0.7

db:CNVDid:CNVD-2024-33902

Trust: 0.6

db:VULMONid:CVE-2023-41182

Trust: 0.1

sources: ZDI: ZDI-23-1284 // CNVD: CNVD-2024-33902 // VULMON: CVE-2023-41182 // JVNDB: JVNDB-2023-028105 // NVD: CVE-2023-41182

REFERENCES

url:https://kb.netgear.com/000065705/security-advisory-for-post-authentication-command-injection-on-the-prosafe-network-management-system-psv-2023-0037

Trust: 2.5

url:https://www.zerodayinitiative.com/advisories/zdi-23-1284/

Trust: 1.9

url:https://nvd.nist.gov/vuln/detail/cve-2023-41182

Trust: 0.8

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-41182

Trust: 0.6

sources: ZDI: ZDI-23-1284 // CNVD: CNVD-2024-33902 // VULMON: CVE-2023-41182 // JVNDB: JVNDB-2023-028105 // NVD: CVE-2023-41182

CREDITS

Steven Seeley of Source Incite

Trust: 0.7

sources: ZDI: ZDI-23-1284

SOURCES

db:ZDIid:ZDI-23-1284
db:CNVDid:CNVD-2024-33902
db:VULMONid:CVE-2023-41182
db:JVNDBid:JVNDB-2023-028105
db:NVDid:CVE-2023-41182

LAST UPDATE DATE

2025-02-10T23:43:30.529000+00:00


SOURCES UPDATE DATE

db:ZDIid:ZDI-23-1284date:2023-08-30T00:00:00
db:CNVDid:CNVD-2024-33902date:2024-07-30T00:00:00
db:JVNDBid:JVNDB-2023-028105date:2025-02-10T05:55:00
db:NVDid:CVE-2023-41182date:2025-02-07T01:59:45.060

SOURCES RELEASE DATE

db:ZDIid:ZDI-23-1284date:2023-08-30T00:00:00
db:CNVDid:CNVD-2024-33902date:2024-07-25T00:00:00
db:JVNDBid:JVNDB-2023-028105date:2025-02-10T00:00:00
db:NVDid:CVE-2023-41182date:2024-05-03T03:15:27.740