{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-38032", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2023-07-12T00:37:03.717Z", "datePublished": "2023-09-07T06:30:47.345Z", "dateUpdated": "2024-08-02T17:30:12.386Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "RT-AC86U", "vendor": "ASUS", "versions": [{"status": "affected", "version": "\t 3.0.0.4.386.51529"}]}], "datePublic": "2023-09-15T13:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<table><tbody><tr><td><p>ASUS RT-AC86U AiProtection security- related function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services.</p></td></tr></tbody></table>\n\n"}], "value": "\nASUS RT-AC86U AiProtection security- related function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services.\n\n\n\n"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2023-09-07T06:30:47.345Z"}, "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7349-7f8cd-1.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 3.0.0.4.386_51915<br><br>"}], "value": "Update to 3.0.0.4.386_51915\n\n"}], "source": {"advisory": "TVN-202309003", "discovery": "EXTERNAL"}, "title": "ASUS RT-AC86U - Command injection vulnerability - 2", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T17:30:12.386Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.twcert.org.tw/tw/cp-132-7349-7f8cd-1.html", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:asus:rt-ac86u_firmware:3.0.0.4_386_51529:*:*:*:*:*:*:*", "matchCriteriaId": "E3A1AA3F-0CCF-41B0-B8D7-2D72D82C0261", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:asus:rt-ac86u:-:*:*:*:*:*:*:*", "matchCriteriaId": "89095282-ABBD-4056-B731-7F05638DB1A6", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "\nASUS RT-AC86U AiProtection security- related function has insufficient filtering of special character. A remote attacker with regular user privilege can exploit this vulnerability to perform command injection attack to execute arbitrary commands, disrupt system or terminate services.\n\n\n\n"}, {"lang": "es", "value": "La funci\u00f3n relacionada con la seguridad AiProtection de ASUS RT-AC86U no tiene suficiente filtrado de caracteres especiales. Un atacante remoto con privilegios de usuario normal puede aprovechar esta vulnerabilidad para realizar un ataque de inyecci\u00f3n de comandos para ejecutar comandos arbitrarios, interrumpir el sistema o terminar servicios."}], "id": "CVE-2023-38032", "lastModified": "2023-09-12T20:46:03.037", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "twcert@cert.org.tw", "type": "Primary"}]}, "published": "2023-09-07T07:15:08.107", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7349-7f8cd-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "twcert@cert.org.tw", "type": "Primary"}]}

{}