CVE-2023-6319

Published: Apr 9, 2024Modified: Feb 7, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

A command injection vulnerability exists in the getAudioMetadata method from the com.webos.service.attachedstoragemanager service on webOS version 4 through 7. A series of specially crafted requests can lead to command execution as the root user. An attacker can make authenticated requests to trigger this vulnerability. * webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA * webOS 5.5.0 - 04.50.51 running on OLED55CXPUA * webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB * webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA

Affected (4)

Products: Lg: Webos

1 product

Webos

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lg Webos	Version 4.9.7

Running on/with	Platform Versions
Lg Lg43um7000pla	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lg Webos	Version 5.5.0

Running on/with	Platform Versions
Lg Oled55cxpua	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lg Webos	Version 6.3.3-442

Running on/with	Platform Versions
Lg Oled48c1pub	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Lg Webos	Version 7.3.1-43

Running on/with	Platform Versions
Lg Oled55a23la	All versions

Related CWEs

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (4)

https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/

Source: cve-requests@bitdefender.com

ExploitThird Party Advisory

https://lgsecurity.lge.com/bulletins/tv#updateDetails

Source: cve-requests@bitdefender.com

Vendor Advisory

https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://lgsecurity.lge.com/bulletins/tv#updateDetails

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.