CVE-2023-5142

A vulnerability classified as problematic was found in H3C GR-1100-P, GR-1108-P, GR-1200W, GR-1800AX, GR-2200, GR-3200, GR-5200, GR-8300, ER2100n, ER2200G2, ER3200G2, ER3260G2, ER5100G2, ER5200G2 and ER6300G2 up to 20230908. This vulnerability affects unknown code of the file /userLogin.asp of the component Config File Handler. The manipulation leads to path traversal. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-240238 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
References
Link Resource
https://github.com/CJCniubi666/H3C-ER/blob/main/README.md Exploit Third Party Advisory
https://github.com/yinsel/CVE-H3C-Report Exploit Third Party Advisory
https://vuldb.com/?ctiid.240238 Permissions Required Third Party Advisory
https://vuldb.com/?id.240238 Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:h3c:gr-1100-p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-1100-p:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:h3c:gr-1108-p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-1108-p:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:h3c:gr-1200w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-1200w:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:h3c:gr-1800ax_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-1800ax:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:h3c:gr-2200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-2200:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:h3c:gr-3200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-3200:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:h3c:gr-5200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-5200:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:h3c:gr-8300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-8300:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:h3c:er3260g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er3260g2:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:h3c:er5200g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er5200g2:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:h3c:er3200g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er3200g2:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:h3c:er2100n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er2100n:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:h3c:er6300g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er6300g2:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:h3c:er5100g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er5100g2:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:h3c:er2200g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er2200g2:-:*:*:*:*:*:*:*

History

26 Sep 2023, 20:55

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
First Time H3c er5100g2 Firmware
H3c er3260g2 Firmware
H3c er6300g2
H3c gr-2200 Firmware
H3c gr-1108-p Firmware
H3c gr-3200
H3c gr-1100-p
H3c er3260g2
H3c er2100n Firmware
H3c gr-1200w
H3c gr-1100-p Firmware
H3c gr-2200
H3c er2100n
H3c
H3c gr-1108-p
H3c gr-1800ax Firmware
H3c er3200g2
H3c gr-1800ax
H3c er5200g2 Firmware
H3c gr-8300
H3c er3200g2 Firmware
H3c er5200g2
H3c er5100g2
H3c er2200g2
H3c gr-3200 Firmware
H3c gr-5200
H3c er6300g2 Firmware
H3c gr-1200w Firmware
H3c gr-8300 Firmware
H3c er2200g2 Firmware
H3c gr-5200 Firmware
References (MISC) https://vuldb.com/?id.240238 - (MISC) https://vuldb.com/?id.240238 - Third Party Advisory
References (MISC) https://github.com/yinsel/CVE-H3C-Report - (MISC) https://github.com/yinsel/CVE-H3C-Report - Exploit, Third Party Advisory
References (MISC) https://vuldb.com/?ctiid.240238 - (MISC) https://vuldb.com/?ctiid.240238 - Permissions Required, Third Party Advisory
References (MISC) https://github.com/CJCniubi666/H3C-ER/blob/main/README.md - (MISC) https://github.com/CJCniubi666/H3C-ER/blob/main/README.md - Exploit, Third Party Advisory
CPE cpe:2.3:o:h3c:er6300g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:h3c:gr-1108-p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er3260g2:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:gr-3200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:h3c:er5100g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er5200g2:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:gr-1100-p_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:h3c:gr-2200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er3200g2:-:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-1800ax:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:er3200g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er2100n:-:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er2200g2:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:gr-5200_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:h3c:gr-1200w_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er5100g2:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:er2100n_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-1200w:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:gr-8300_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:h3c:gr-1800ax_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-1100-p:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:er3260g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:er6300g2:-:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-2200:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:er5200g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-1108-p:-:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-8300:-:*:*:*:*:*:*:*
cpe:2.3:o:h3c:er2200g2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-5200:-:*:*:*:*:*:*:*
cpe:2.3:h:h3c:gr-3200:-:*:*:*:*:*:*:*

24 Sep 2023, 22:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-09-24 22:15

Updated : 2024-05-17 02:32


NVD link : CVE-2023-5142

Mitre link : CVE-2023-5142

CVE.ORG link : CVE-2023-5142


JSON object : View

Products Affected

h3c

  • er3260g2_firmware
  • er3200g2
  • er2100n
  • gr-2200_firmware
  • gr-1108-p_firmware
  • er2200g2
  • gr-1800ax_firmware
  • gr-3200
  • er5200g2
  • er6300g2
  • gr-2200
  • gr-5200
  • er6300g2_firmware
  • gr-3200_firmware
  • er2200g2_firmware
  • er5100g2_firmware
  • gr-8300
  • gr-8300_firmware
  • er2100n_firmware
  • er5200g2_firmware
  • er3200g2_firmware
  • gr-1200w_firmware
  • er5100g2
  • gr-1108-p
  • er3260g2
  • gr-1200w
  • gr-1100-p_firmware
  • gr-1100-p
  • gr-1800ax
  • gr-5200_firmware
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')