CVE-2024-48073

sunniwell HT3300 before 1.0.0.B022.2 is vulnerable to Insecure Permissions. The /usr/local/bin/update program, which is responsible for updating the software in the HT3300 device, is given the execution mode of sudo NOPASSWD. This program is vulnerable to a command injection vulnerability, which could allow an attacker to pass commands to this program via command line arguments to gain elevated root privileges.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://gist.github.com/Giles-one/56f677b96aab5a67fbe31dd41fd1303d
https://github.com/Giles-one/sunniwellHT3300PrivilegeEscalation

Configurations

No configuration.

History

18 Nov 2024, 15:35

Type	Values Removed	Values Added
CWE		CWE-862
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

12 Nov 2024, 13:56

Type	Values Removed	Values Added
Summary		(es) sunniwell HT3300 anterior a 1.0.0.B022.2 es vulnerable a permisos inseguros. El programa /usr/local/bin/update, que es responsable de actualizar el software en el dispositivo HT3300, tiene asignado el modo de ejecución sudo NOPASSWD. Este programa es vulnerable a una vulnerabilidad de inyección de comandos, que podría permitir a un atacante pasar comandos a este programa a través de argumentos de línea de comandos para obtener privilegios elevados de superusuario.

08 Nov 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-08 22:15

Updated : 2024-11-18 15:35

NVD link : CVE-2024-48073

Mitre link : CVE-2024-48073

CVE.ORG link : CVE-2024-48073

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

9.8 /10