OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference, daemon crash, and Captive Portal outage) via a GET request to /opennds_auth/ that lacks a custom query string parameter and client-token.
References
Configurations
Configuration 1 (hide)
AND |
|
History
21 Nov 2024, 08:13
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/openNDS/openNDS/blob/master/ChangeLog - Release Notes | |
References | () https://openwrt.org/docs/guide-user/services/captive-portal/opennds - Product | |
References | () https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx - Vendor Advisory |
03 Jan 2024, 22:30
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.5 |
References | () https://openwrt.org/docs/guide-user/services/captive-portal/opennds - Product | |
References | () https://github.com/openNDS/openNDS/blob/master/ChangeLog - Release Notes | |
References | () https://source.sierrawireless.com/-/media/support_downloads/security-bulletins/pdf/swi-psa-2023-006-r3.ashx - Vendor Advisory | |
CPE | cpe:2.3:h:sierrawireless:mp70:-:*:*:*:*:*:*:* cpe:2.3:h:sierrawireless:rv55:-:*:*:*:*:*:*:* cpe:2.3:h:sierrawireless:lx40:-:*:*:*:*:*:*:* cpe:2.3:h:sierrawireless:rv50x:-:*:*:*:*:*:*:* cpe:2.3:o:sierrawireless:aleos:*:*:*:*:*:*:*:* cpe:2.3:h:sierrawireless:lx60:-:*:*:*:*:*:*:* |
|
CWE | CWE-476 | |
First Time |
Sierrawireless lx40
Sierrawireless rv50x Sierrawireless Sierrawireless mp70 Sierrawireless lx60 Sierrawireless rv55 Sierrawireless aleos |
25 Dec 2023, 09:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-25 09:15
Updated : 2024-11-21 08:13
NVD link : CVE-2023-38321
Mitre link : CVE-2023-38321
CVE.ORG link : CVE-2023-38321
JSON object : View
Products Affected
sierrawireless
- rv55
- aleos
- rv50x
- lx60
- lx40
- mp70
CWE
CWE-476
NULL Pointer Dereference