CVE-2023-31472

An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/gl-inet/CVE-issues/blob/main/3.215/Arbitrary_File_Creation.md	Exploit Vendor Advisory
https://www.gl-inet.com	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:gl-inet:gl-s20_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-s20:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:gl-inet:gl-x3000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-x3000:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:gl-inet:gl-mt3000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-mt3000:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:gl-inet:gl-mt2500_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-mt2500:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:gl-inet:gl-mt2500a_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-mt2500a:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:gl-inet:gl-axt1800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-axt1800:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:gl-inet:gl-a1300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-a1300:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:gl-inet:gl-ax1800_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-ax1800:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:gl-inet:gl-sft1200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-sft1200:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:gl-inet:gl-mt1300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-mt1300:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:gl-inet:gl-e750_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-e750:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:gl-inet:gl-mv1000_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-mv1000:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:gl-inet:gl-mv1000w_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-mv1000w:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:gl-inet:gl-s10_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-s10:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND

cpe:2.3:o:gl-inet:gl-s200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-s200:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND

cpe:2.3:o:gl-inet:gl-s1300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-s1300:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND

cpe:2.3:o:gl-inet:gl-sf1200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-sf1200:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND

cpe:2.3:o:gl-inet:gl-b1300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-b1300:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND

cpe:2.3:o:gl-inet:gl-b2200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-b2200:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND

cpe:2.3:o:gl-inet:gl-ap1300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-ap1300:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND

cpe:2.3:o:gl-inet:gl-ap1300lte_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-ap1300lte:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND

cpe:2.3:o:gl-inet:gl-x1200_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-x1200:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND

cpe:2.3:o:gl-inet:gl-x750_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-x750:-:*:*:*:*:*:*:*

Configuration 24 (hide)

AND

cpe:2.3:o:gl-inet:gl-x300b_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-x300b:-:*:*:*:*:*:*:*

Configuration 25 (hide)

AND

cpe:2.3:o:gl-inet:gl-xe300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-xe300:-:*:*:*:*:*:*:*

Configuration 26 (hide)

AND

cpe:2.3:o:gl-inet:gl-ar750s_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-ar750s:-:*:*:*:*:*:*:*

Configuration 27 (hide)

AND

cpe:2.3:o:gl-inet:gl-ar750_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-ar750:-:*:*:*:*:*:*:*

Configuration 28 (hide)

AND

cpe:2.3:o:gl-inet:gl-mifi_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-mifi:-:*:*:*:*:*:*:*

Configuration 29 (hide)

AND

cpe:2.3:o:gl-inet:gl-mt300n-v2_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-mt300n-v2:-:*:*:*:*:*:*:*

Configuration 30 (hide)

AND

cpe:2.3:o:gl-inet:gl-ar300m_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-ar300m:-:*:*:*:*:*:*:*

Configuration 31 (hide)

AND

cpe:2.3:o:gl-inet:gl-usb150_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:gl-usb150:-:*:*:*:*:*:*:*

Configuration 32 (hide)

AND

cpe:2.3:o:gl-inet:microuter-n300_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:gl-inet:microuter-n300:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-05-09 18:15

Updated : 2024-02-28 20:13

NVD link : CVE-2023-31472

Mitre link : CVE-2023-31472

CVE.ORG link : CVE-2023-31472

JSON object : View

Products Affected

gl-inet

gl-e750
gl-mt1300_firmware
gl-ar750s
gl-ar750
gl-s20_firmware
gl-e750_firmware
gl-ap1300
gl-a1300
gl-x3000_firmware
gl-ap1300lte_firmware
gl-mifi_firmware
gl-axt1800
gl-ax1800_firmware
gl-axt1800_firmware
gl-s10_firmware
gl-ar750_firmware
gl-s200_firmware
gl-mv1000w
gl-mv1000_firmware
gl-ar300m_firmware
gl-x3000
gl-x300b_firmware
gl-usb150_firmware
gl-s1300_firmware
gl-mt2500a_firmware
gl-sf1200
gl-mt2500a
gl-mv1000
gl-s20
gl-mt300n-v2
gl-usb150
gl-mt2500_firmware
gl-s200
gl-x750
gl-mifi
gl-b1300_firmware
gl-b1300
gl-mt3000_firmware
gl-mt1300
gl-ap1300lte
gl-x1200
gl-b2200_firmware
gl-x300b
gl-xe300
gl-mt300n-v2_firmware
microuter-n300
gl-x1200_firmware
gl-xe300_firmware
microuter-n300_firmware
gl-ap1300_firmware
gl-x750_firmware
gl-mv1000w_firmware
gl-ar300m
gl-s10
gl-ar750s_firmware
gl-mt3000
gl-a1300_firmware
gl-sf1200_firmware
gl-mt2500
gl-sft1200
gl-s1300
gl-ax1800
gl-b2200
gl-sft1200_firmware

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

7.5 /10