CVE-2023-2910 - Vulnerability Details - OpenCVE

Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00555.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Asustor	Adm Data Master

Configuration 1 [-]

OR	cpe:2.3:o:asustor:data_master::::::::
	cpe:2.3:o:asustor:data_master::::::::

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-34356	Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.asustor.com/security/security_advisory_detail?id=27

History

Tue, 08 Oct 2024 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Asustor adm
CPEs		cpe:2.3:a:asustor:adm::::::::
Vendors & Products		Asustor adm
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: ASUSTOR1

Published: 2023-08-17T09:25:43.344Z

Updated: 2024-10-08T17:30:14.795Z

Reserved: 2023-05-26T09:43:54.979Z

Link: CVE-2023-2910

Vulnrichment

Updated: 2024-08-02T06:41:03.648Z

NVD

Status : Modified

Published: 2023-08-17T10:15:10.737

Modified: 2024-11-21T07:59:33.000

Link: CVE-2023-2910

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2910", "assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77", "state": "PUBLISHED", "assignerShortName": "ASUSTOR1", "dateReserved": "2023-05-26T09:43:54.979Z", "datePublished": "2023-08-17T09:25:43.344Z", "dateUpdated": "2024-10-08T17:30:14.795Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "packageName": "Printer Service", "platforms": ["Linux", "x86", "ARM", "64 bit"], "product": "ADM", "vendor": "ASUSTOR", "versions": [{"lessThanOrEqual": "4.0.6.RIS1", "status": "affected", "version": "4.0", "versionType": "custom"}, {"lessThanOrEqual": "4.1.0.RLQ1", "status": "affected", "version": "4.1", "versionType": "custom"}, {"lessThanOrEqual": "4.2.2.RI61", "status": "affected", "version": "4.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security"}], "datePublic": "2023-08-30T07:15:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.<br>"}], "value": "Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\n"}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77", "shortName": "ASUSTOR1", "dateUpdated": "2023-08-17T09:25:43.344Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.asustor.com/security/security_advisory_detail?id=27"}], "source": {"discovery": "UNKNOWN"}, "title": "A Command injection vulnerability was found on Printer service of ADM", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:41:03.648Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.asustor.com/security/security_advisory_detail?id=27"}]}, {"affected": [{"vendor": "asustor", "product": "adm", "cpes": ["cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.0", "status": "affected", "lessThanOrEqual": "4.0.6.RIS1", "versionType": "custom"}, {"version": "4.1", "status": "affected", "lessThanOrEqual": "4.1.0.RLQ1", "versionType": "custom"}, {"version": "4.2", "status": "affected", "lessThanOrEqual": "4.2.2.RI6", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-08T17:28:39.517947Z", "id": "CVE-2023-2910", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T17:30:14.795Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.asustor.com/security/security_advisory_detail?id=27", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:41:03.648Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2910", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-08T17:28:39.517947Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:asustor:adm:*:*:*:*:*:*:*:*"], "vendor": "asustor", "product": "adm", "versions": [{"status": "affected", "version": "4.0", "versionType": "custom", "lessThanOrEqual": "4.0.6.RIS1"}, {"status": "affected", "version": "4.1", "versionType": "custom", "lessThanOrEqual": "4.1.0.RLQ1"}, {"status": "affected", "version": "4.2", "versionType": "custom", "lessThanOrEqual": "4.2.2.RI6"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-08T17:30:08.761Z"}}], "cna": {"title": "A Command injection vulnerability was found on Printer service of ADM", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "atdog (@atdog_tw) and Lays (@_L4ys) of TRAPA Security"}], "impacts": [{"capecId": "CAPEC-248", "descriptions": [{"lang": "en", "value": "CAPEC-248 Command Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "ASUSTOR", "product": "ADM", "versions": [{"status": "affected", "version": "4.0", "versionType": "custom", "lessThanOrEqual": "4.0.6.RIS1"}, {"status": "affected", "version": "4.1", "versionType": "custom", "lessThanOrEqual": "4.1.0.RLQ1"}, {"status": "affected", "version": "4.2", "versionType": "custom", "lessThanOrEqual": "4.2.2.RI61"}], "platforms": ["Linux", "x86", "ARM", "64 bit"], "packageName": "Printer Service", "defaultStatus": "affected"}], "datePublic": "2023-08-30T07:15:00.000Z", "references": [{"url": "https://www.asustor.com/security/security_advisory_detail?id=27", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\n", "supportingMedia": [{"type": "text/html", "value": "Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77", "shortName": "ASUSTOR1", "dateUpdated": "2023-08-17T09:25:43.344Z"}}}, "cveMetadata": {"cveId": "CVE-2023-2910", "state": "PUBLISHED", "dateUpdated": "2024-10-08T17:30:14.795Z", "dateReserved": "2023-05-26T09:43:54.979Z", "assignerOrgId": "f35eaae9-79f2-4d0d-a5c7-7bea6ed6be77", "datePublished": "2023-08-17T09:25:43.344Z", "assignerShortName": "ASUSTOR1"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*", "matchCriteriaId": "52E98421-79B4-4483-ABC6-C01289B5C028", "versionEndIncluding": "4.0.6.ris1", "versionStartIncluding": "4.0.0.rib4", "vulnerable": true}, {"criteria": "cpe:2.3:o:asustor:data_master:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A135ABF-52BD-43B0-AD0D-0B92FF20B9F5", "versionEndExcluding": "4.2.3.rk91", "versionStartIncluding": "4.1.0.rhu2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Printer service functionality in ASUSTOR Data Master (ADM) allows remote unauthorized users to execute arbitrary commands via unspecified vectors. Affected products and versions include: ADM 4.0.6.RIS1, 4.1.0 and below as well as ADM 4.2.2.RI61 and below.\n"}], "id": "CVE-2023-2910", "lastModified": "2024-11-21T07:59:33.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@asustor.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-17T10:15:10.737", "references": [{"source": "security@asustor.com", "tags": ["Vendor Advisory"], "url": "https://www.asustor.com/security/security_advisory_detail?id=27"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.asustor.com/security/security_advisory_detail?id=27"}], "sourceIdentifier": "security@asustor.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "security@asustor.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}