Shell Injection vulnerability GL.iNet A1300 v4.4.6, AX1800 v4.4.6, AXT1800 v4.4.6, MT3000 v4.4.6, MT2500 v4.4.6, MT6000 v4.5.0, MT1300 v4.3.7, MT300N-V2 v4.3.7, AR750S v4.3.7, AR750 v4.3.7, AR300M v4.3.7, and B1300 v4.3.7., allows local attackers to execute arbitrary code via the get_system_log and get_crash_log functions of the logread module, as well as the upgrade_online function of the upgrade module.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors Products
Gl-inet
  • Gl-mt2500 Firmware
  • Gl-mt3000
  • Gl-ar750 Firmware
  • Gl-b1300 Firmware
  • Gl-a1300 Firmware
  • Gl-mt2500
  • Gl-mt300n-v2 Firmware
  • Gl-mt3000 Firmware
  • Gl-b1300
  • Gl-ar750s Firmware
  • Gl-mt6000
  • Gl-axt1800
  • Gl-ar750
  • Gl-ar300m
  • Gl-mt1300 Firmware
  • Gl-a1300
  • Gl-ax1800 Firmware
  • Gl-ar750s
  • Gl-mt1300
  • Gl-ar300m Firmware
  • Gl-mt6000 Firmware
  • Gl-ax1800
  • Gl-axt1800 Firmware
  • Gl-mt300n-v2

Configuration 1 [-]

AND
cpe:2.3:o:gl-inet:gl-mt1300_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-mt1300:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:gl-inet:gl-mt300n-v2_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-mt300n-v2:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:gl-inet:gl-ar750s_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-ar750s:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:gl-inet:gl-ar750_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-ar750:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:gl-inet:gl-ar300m_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-ar300m:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:gl-inet:gl-b1300_firmware:4.3.7:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-b1300:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:gl-inet:gl-mt6000_firmware:4.5.0:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-mt6000:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:gl-inet:gl-a1300_firmware:4.4.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-a1300:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:gl-inet:gl-ax1800_firmware:4.4.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-ax1800:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:gl-inet:gl-axt1800_firmware:4.4.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-axt1800:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:o:gl-inet:gl-mt3000_firmware:4.4.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-mt3000:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND
cpe:2.3:o:gl-inet:gl-mt2500_firmware:4.4.6:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:gl-mt2500:-:*:*:*:*:*:*:*
References
Link Resource
http://packetstormsecurity.com/files/176708/GL.iNet-Unauthenticated-Remote-Command-Execution.html
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Using%20Shell%20Metacharacter%20Injection%20via%20API.md Exploit Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-12-28T00:00:00

Updated: 2024-06-04T17:17:57.563Z

Reserved: 2023-12-10T00:00:00

Link: CVE-2023-50445

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2023-12-28T05:15:08.427

Modified: 2024-01-24T16:15:08.313

Link: CVE-2023-50445

JSON object: View

cve-icon Redhat Information

No data.

CWE