An issue was discovered on GL.iNet devices before 3.216. There is an arbitrary file write in which an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied. Through the software installation feature, it is possible to inject arbitrary parameters in a request to cause opkg to read an arbitrary file name while using root privileges. The -f option can be used with a configuration file.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-05-11T00:00:00

Updated: 2024-08-02T14:53:30.985Z

Reserved: 2023-04-28T00:00:00

Link: CVE-2023-31473

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-05-11T11:15:09.100

Modified: 2024-11-21T08:01:56.547

Link: CVE-2023-31473

cve-icon Redhat

No data.