CVE-2023-27360Insufficient Verification of Data Authenticity in Netgear Rax30 Firmware

CWE-345Insufficient Verification of Data AuthenticityCWE-346Origin Validation Error3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.7%
top 27.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Netgear Rax30 FirmwareNetgear Rax30
Timeline
PublishedMay 3

Description

NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR RAX30. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the lighttpd HTTP server. The issue results from allowing execution of files from untrusted sources. An attacker can leverage this vulnerability to execute code in the context of root.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDnetgear/rax30_firmware< 1.0.10.94
CVEListV5netgear/rax301.0.6.74_1

🔴Vulnerability Details

2
GHSA
GHSA-5mr2-xg52-9g99: NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability2024-05-03
CVEList
NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability2024-05-03
CVE-2023-27360 — Netgear Rax30 Firmware vulnerability | cvebase