CVE-2023-46306 — HIGH (8.4)

Q: How severe is CVE-2023-46306?

CVE-2023-46306 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-46306?

Check the references section above for vendor advisories and patch information. Affected products include: Netmodule Netmodule Router Software, Netmodule Nb1601, Netmodule Nb1800, Netmodule Nb1810, Netmodule Nb2800.

Vulnerability Description

The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters in the /admin/gnssAutoAlign.php device_id parameter. This occurs because another thread can be started before the trap that triggers the cleanup function. A successful exploit could allow an authenticated user to execute arbitrary commands with elevated privileges. NOTE: this is different from CVE-2023-0861 and CVE-2023-0862, which were fixed in version 4.6.0.105.

CVSS Score

8.4

HIGH

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Netmodule	Netmodule Router Software	< 4.6.0.105
Netmodule	Nb1601	-
Netmodule	Nb1800	-
Netmodule	Nb1810	-
Netmodule	Nb2800	-
Netmodule	Nb2810	-
Netmodule	Nb3701	-
Netmodule	Nb3800	-
Netmodule	Ng800	-

Related Weaknesses (CWE)

CWE-78

References

https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-ProductThird Party Advisory
https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.1Release Notes
https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.1Release Notes
https://pentest.blog/advisory-netmodule-router-software-race-condition-leads-to-ProductThird Party Advisory
https://share.netmodule.com/public/system-software/4.6/4.6.0.106/NRSW-RN-4.6.0.1Release Notes
https://share.netmodule.com/public/system-software/4.8/4.8.0.101/NRSW-RN-4.8.0.1Release Notes

FAQ

What is CVE-2023-46306?

CVE-2023-46306 is a vulnerability with a CVSS score of 8.4 (HIGH). The web administration interface in NetModule Router Software (NRSW) 4.6 before 4.6.0.106 and 4.8 before 4.8.0.101 executes an OS command constructed with unsanitized user input: shell metacharacters ...

How severe is CVE-2023-46306?

CVE-2023-46306 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-46306?

Check the references section above for vendor advisories and patch information. Affected products include: Netmodule Netmodule Router Software, Netmodule Nb1601, Netmodule Nb1800, Netmodule Nb1810, Netmodule Nb2800.