CVE-2023-31997

Published: Jul 1, 2023Modified: Nov 26, 2024

9.0

Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: NVD

Description

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Applicable Cloud Keys that are both (1) running UniFi OS 3.1 and (2) hosting the UniFi Network application. "Applicable Cloud Keys" include the following: Cloud Key Gen2 and Cloud Key Gen2 Plus.

Affected (1)

Products: Ui: Unifi Os

1 product

Configuration A

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Ui Unifi Os	Version 3.1

Running on/with	Platform Versions
Ui Cloud Key Gen2	All versions
Ui Cloud Key Gen2 Plus	All versions

Related CWEs

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://community.ui.com/releases/Security-Advisory-Bulletin-032-032/e57301f4-4f5e-4d9f-90bc-71f1923ed7a4

Source: support@hackerone.com

Issue Tracking

https://community.ui.com/releases/Security-Advisory-Bulletin-032-032/e57301f4-4f5e-4d9f-90bc-71f1923ed7a4

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

Timeline

No history available yet.