An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.
References
Link | Resource |
---|---|
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass-seesion-ID.md | Exploit Issue Tracking Vendor Advisory |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
AND |
|
Configuration 5 (hide)
AND |
|
Configuration 6 (hide)
AND |
|
Configuration 7 (hide)
AND |
|
Configuration 8 (hide)
AND |
|
Configuration 9 (hide)
AND |
|
Configuration 10 (hide)
AND |
|
Configuration 11 (hide)
AND |
|
Configuration 12 (hide)
AND |
|
History
19 Jan 2024, 02:11
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass-seesion-ID.md - Exploit, Issue Tracking, Vendor Advisory | |
CWE | CWE-384 | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.5 |
CPE | cpe:2.3:o:gl-inet:gl-ax1800_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-b1300:-:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-ar300m:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-ar750_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-mt2500:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt3000_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-ax1800_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt3000_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt6000_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-mt1300:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-ar300m_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-a1300:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-a1300_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-b1300_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-mt6000:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt6000_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt300n-v2_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt2500_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-ar750:-:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-mt3000:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-ar300m_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-axt1800_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-ar750s_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-b1300_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-ax1800:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-a1300_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-ar750s_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt1300_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt300n-v2_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-ar750_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt2500_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-mt1300_firmware:4.4.6:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-ar750s:-:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-mt300n-v2:-:*:*:*:*:*:*:* cpe:2.3:o:gl-inet:gl-axt1800_firmware:4.3.7:*:*:*:*:*:*:* cpe:2.3:h:gl-inet:gl-axt1800:-:*:*:*:*:*:*:* |
|
First Time |
Gl-inet gl-ar300m Firmware
Gl-inet gl-ar750s Firmware Gl-inet gl-axt1800 Gl-inet gl-ar300m Gl-inet gl-mt300n-v2 Firmware Gl-inet gl-ar750s Gl-inet gl-mt3000 Gl-inet gl-b1300 Gl-inet gl-mt2500 Firmware Gl-inet gl-a1300 Firmware Gl-inet gl-axt1800 Firmware Gl-inet gl-mt2500 Gl-inet gl-ax1800 Firmware Gl-inet gl-mt6000 Gl-inet gl-mt1300 Gl-inet gl-mt3000 Firmware Gl-inet gl-mt300n-v2 Gl-inet gl-mt1300 Firmware Gl-inet gl-mt6000 Firmware Gl-inet gl-ax1800 Gl-inet Gl-inet gl-ar750 Firmware Gl-inet gl-a1300 Gl-inet gl-b1300 Firmware Gl-inet gl-ar750 |
12 Jan 2024, 08:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-12 08:15
Updated : 2024-02-28 20:54
NVD link : CVE-2023-50920
Mitre link : CVE-2023-50920
CVE.ORG link : CVE-2023-50920
JSON object : View
Products Affected
gl-inet
- gl-a1300
- gl-mt6000_firmware
- gl-ar750s
- gl-ar300m
- gl-ax1800_firmware
- gl-ar750_firmware
- gl-mt300n-v2_firmware
- gl-mt300n-v2
- gl-axt1800
- gl-ar750s_firmware
- gl-mt1300
- gl-axt1800_firmware
- gl-mt2500
- gl-b1300
- gl-mt2500_firmware
- gl-ar750
- gl-mt3000
- gl-ar300m_firmware
- gl-mt3000_firmware
- gl-b1300_firmware
- gl-mt6000
- gl-ax1800
- gl-a1300_firmware
- gl-mt1300_firmware
CWE
CWE-384
Session Fixation