CVE-2023-31476

Published: May 9, 2023Modified: Jan 29, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An issue was discovered on GL.iNet devices running firmware before 3.216. There is an arbitrary file write in which an empty file can be created almost anywhere on the filesystem, as long as the filename and path is no more than 6 characters (the working directory is /www).

Affected (2)

Products: Gl Inet: Gl Mv1000w Firmware, Gl Mv1000 Firmware

2 products

Gl Mv1000w Firmware

Gl Mv1000 Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Gl Inet Gl Mv1000w Firmware	Up to 3.215

Running on/with	Platform Versions
Gl Inet Gl Mv1000w	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Gl Inet Gl Mv1000 Firmware	Up to 3.215

Running on/with	Platform Versions
Gl Inet Gl Mv1000	All versions

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (4)

https://github.com/gl-inet/CVE-issues/blob/main/3.215/GL-MV1000_Arbitrary_File_Creation.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://www.gl-inet.com

Source: cve@mitre.org

Product

https://github.com/gl-inet/CVE-issues/blob/main/3.215/GL-MV1000_Arbitrary_File_Creation.md

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://www.gl-inet.com

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.