CVE-2023-6729

Published: Oct 17, 2024Modified: Oct 18, 2024

7.3

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.3 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Nokia SR OS routers allow read-write access to the entire file system via SFTP or SCP for users configured with "access console." Consequently, a low privilege authenticated user with "access console" can read or replace the router configuration file as well as other files stored in the Compact Flash or SD card without using CLI commands. This type of attack can lead to a compromise or denial of service of the router after the system is rebooted.

Related CWEs

CWE-732

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

References (1)

https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-6729/

Source: b48c3b8f-639e-4c16-8725-497bc411dad0

Timeline

No history available yet.