CVE-2023-38316
published 2023-11-17CVE-2023-38316: An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.08%
61.0th percentile
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | opennds | < opennds 10.2.0+dfsg-1 (forky) | opennds 10.2.0+dfsg-1 (forky) |
| opennds | captive_portal | < 10.1.2 | 10.1.2 |
| opennds | opennds | >= 0 < 10.2.0+dfsg-1 | 10.2.0+dfsg-1 |
| opennds | opennds | >= 0 < 10.2.0+dfsg-1 | 10.2.0+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit vector targets the URL portion of HTTP GET requests when the custom unescape callback is enabled in OpenNDS Captive Portal; monitor for OS command injection patterns (e.g., shell metacharacters) embedded in GET request URLs directed at the OpenNDS captive portal service.
- ·The vulnerability is only exploitable when the 'custom unescape callback' feature is explicitly enabled in OpenNDS configuration. Deployments with this callback disabled are not affected.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-38316: An issue was discovered in OpenNDS Captive Portal before version 10
osv·2023-11-17·CVSS 9.8
CVE-2023-38316 [CRITICAL] CVE-2023-38316: An issue was discovered in OpenNDS Captive Portal before version 10
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.
GHSA
GHSA-857f-w8mj-5g2g: An issue was discovered in OpenNDS Captive Portal before version 10
ghsa_unreviewed·2023-11-17
CVE-2023-38316 [CRITICAL] CWE-116 GHSA-857f-w8mj-5g2g: An issue was discovered in OpenNDS Captive Portal before version 10
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests.
Debian
CVE-2023-38316: opennds - An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When th...
vendor_debian·2023·CVSS 9.8
CVE-2023-38316 [CRITICAL] CVE-2023-38316: opennds - An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When th...
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. When the custom unescape callback is enabled, attackers can execute arbitrary OS commands by inserting them into the URL portion of HTTP GET requests. Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.
Scope: local
bookworm: open
forky: resolved (fixed in 10.2.0+dfsg-1)
sid: resolved (fixed in 10.2.0+dfsg-1)
trixie: resolved (fixed in 10.2.0+dfsg-1)
No detection rules found.
No public exploits indexed.
https://github.com/openNDS/openNDS/releases/tag/v10.1.2https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbshttps://github.com/openNDS/openNDS/releases/tag/v10.1.2https://github.com/openwrt/routing/commit/0b19771fb2dd81e7c428759610aed583171eed80https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-006-v4/#sthash.2vJg3d85.rwx82g1C.dpbs
2023-11-17
Published