Details of VAR-202309-1522

ID

VAR-202309-1522

CVE

CVE-2023-41029

TITLE

Juplink of RX4-1500 Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-013228

DESCRIPTION

Command injection vulnerability in the homemng.htm endpoint in Juplink RX4-1500 Wifi router firmware versions V1.0.2, V1.0.3, V1.0.4, and V1.0.5 allows authenticated remote attackers to execute commands as root via specially crafted HTTP requests to the vulnerable endpoint. Juplink of RX4-1500 Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.71

sources: NVD: CVE-2023-41029 // JVNDB: JVNDB-2023-013228 // VULMON: CVE-2023-41029

AFFECTED PRODUCTS

vendor:	juplink	model:	rx4-1500	scope:	eq	version:	1.0.5	Trust: 1.0
vendor:	juplink	model:	rx4-1500	scope:	eq	version:	1.0.4	Trust: 1.0
vendor:	juplink	model:	rx4-1500	scope:	eq	version:	1.0.3	Trust: 1.0
vendor:	juplink	model:	rx4-1500	scope:	eq	version:	1.0.2	Trust: 1.0
vendor:	juplink	model:	rx4-1500	scope:	eq	version:	rx4-1500 firmware 1.0.2	Trust: 0.8
vendor:	juplink	model:	rx4-1500	scope:	eq	version:	rx4-1500 firmware 1.0.4	Trust: 0.8
vendor:	juplink	model:	rx4-1500	scope:	eq	version:	rx4-1500 firmware 1.0.5	Trust: 0.8
vendor:	juplink	model:	rx4-1500	scope:	eq	version:	-	Trust: 0.8
vendor:	juplink	model:	rx4-1500	scope:	eq	version:	rx4-1500 firmware 1.0.3	Trust: 0.8
vendor:	juplink	model:	rx4-1500	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2023-013228 // NVD: CVE-2023-41029

CVSS

SEVERITY

CVSSV2

CVSSV3

disclosures@exodusintel.com:	CVE-2023-41029
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2023-41029
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-41029
value:	HIGH
Trust: 0.8

disclosures@exodusintel.com:	CVE-2023-41029
severity:	HIGH
baseScore:	7.7
vectorString:	AV:A/AC:L/AU:S/C:C/I:C/A:C
accessVector:	ADJACENT_NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	5.1
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0

disclosures@exodusintel.com:	CVE-2023-41029
baseSeverity:	HIGH
baseScore:	8.0
vectorString:	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.1
impactScore:	5.9
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2023-41029
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2023-41029
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2023-013228 // NVD: CVE-2023-41029 // NVD: CVE-2023-41029

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-013228 // NVD: CVE-2023-41029

EXTERNAL IDS

db:	NVD	id:	CVE-2023-41029	Trust: 2.7
db:	JVNDB	id:	JVNDB-2023-013228	Trust: 0.8
db:	VULMON	id:	CVE-2023-41029	Trust: 0.1

sources: VULMON: CVE-2023-41029 // JVNDB: JVNDB-2023-013228 // NVD: CVE-2023-41029

REFERENCES

url:	https://blog.exodusintel.com/2023/09/18/juplink-rx4-1500-command-injection-vulnerability/	Trust: 1.9
url:	https://nvd.nist.gov/vuln/detail/cve-2023-41029	Trust: 0.8
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULMON: CVE-2023-41029 // JVNDB: JVNDB-2023-013228 // NVD: CVE-2023-41029

SOURCES

db:	VULMON	id:	CVE-2023-41029
db:	JVNDB	id:	JVNDB-2023-013228
db:	NVD	id:	CVE-2023-41029

LAST UPDATE DATE

2024-08-14T15:41:36.607000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2023-41029	date:	2023-09-23T00:00:00
db:	JVNDB	id:	JVNDB-2023-013228	date:	2023-12-20T03:28:00
db:	NVD	id:	CVE-2023-41029	date:	2023-09-26T14:27:48.917

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2023-41029	date:	2023-09-22T00:00:00
db:	JVNDB	id:	JVNDB-2023-013228	date:	2023-12-20T00:00:00
db:	NVD	id:	CVE-2023-41029	date:	2023-09-22T17:15:10.957