CRITICAL🇵🇱 Wersja polska

CVE-2023-46454

CVSS 9.8v3.1pub. 2023-12-12upd. 2024-11-21

In GL.iNET GL-AR300M routers with firmware v4.3.7, it is possible to inject arbitrary shell commands through a crafted package name in the package information functionality.

🤖 AI Analysis
How it works

An attacker sends a network request to the package management function on the device, providing a crafted package name containing malicious shell commands. The input is not properly validated or sanitized before being passed to the operating system command interpreter. As a result, commands supplied by the attacker are executed directly in the context of the router's operating system.

Impact

An attacker can execute arbitrary system commands on the router without authentication, which may lead to complete device takeover, theft of configuration data, modification of network settings, or use of the router as an entry point to the network infrastructure.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. It is also recommended to restrict access to the router's administrative interface to trusted IP addresses only and to monitor network traffic for unauthorized requests.

Who is affected

GL.iNET GL-AR300M routers running firmware version 4.3.7

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Gl Inet Gl Ar300m

    HW
    Gl-Inet
    wszystkie wersje
  • Gl Inet Gl Ar300m Firmware

    OS
    Gl-Inet
    4.3.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Command Injection
CWE
References

Related vulnerabilities

CVE-2023-50919CRITICAL9.8PL ✓ten sam produkt

GL.iNet — Authentication Bypass w NGINX przez dopasowanie wzorców Lua

CVE-2023-50921CRITICAL9.8PL ✓ten sam produkt

GL.iNet: privilege escalation przez interfejs add_user do uprawnień root

CVE-2023-46456CRITICAL9.8PL ✓ten sam produkt

GL.iNET GL-AR300M: command injection przez upload pliku konfiguracji OpenVPN

CVE-2023-31475CRITICAL9.8ten sam produkt

An issue was discovered on GL.iNet devices before 3.216. The function guci2_get() found in libglutil.so has a ...

CVE-2023-31471CRITICAL9.8ten sam produkt

An issue was discovered on GL.iNet devices before 3.216. Through the software installation feature, it is poss...