CVE-2023-42136 - Vulnerability Details - OpenCVE

PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word.

The attacker must have shell access to the device in order to exploit this vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation poc

Automatable no

Technical Impact total

Vendors	Products
Paxtechnology	A50 A6650 A77 A800 A920 A920 Max A920 Pro D190 Paydroid

Configuration 1 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a50:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a6650:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a800:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a77:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a920:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a920_pro:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:a920_max:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*

cpe:2.3:h:paxtechnology:d190:-:*:*:*:*:*:*:*

No data.

No data.

References

Link	Providers
https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://ppn.paxengine.com/release/development

History

Fri, 11 Oct 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 10 Oct 2024 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-20

Thu, 10 Oct 2024 15:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77

MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2024-01-15T13:28:57.814Z

Updated: 2024-10-10T15:35:55.315Z

Reserved: 2023-09-07T13:17:57.372Z

Link: CVE-2023-42136

Vulnrichment

Updated: 2024-08-02T19:16:50.589Z

NVD

Status : Modified

Published: 2024-01-15T14:15:24.670

Modified: 2024-11-21T08:22:20.893

Link: CVE-2023-42136

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-42136", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2023-09-07T13:17:57.372Z", "datePublished": "2024-01-15T13:28:57.814Z", "dateUpdated": "2024-10-10T15:35:55.315Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Android"], "product": "POS terminals", "vendor": "PAX Technology", "versions": [{"lessThanOrEqual": "11.1.50_20230614", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Hubert Jasudowicz, Adam Kli\u015b and other members of STM Cyber R&D team"}], "datePublic": "2024-01-15T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word.</div><div><br></div>The attacker must have shell access to the device in order to exploit this vulnerability."}], "value": "PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word.\n\n\n\n\nThe attacker must have shell access to the device in order to exploit this vulnerability."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-10-10T15:35:55.315Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://ppn.paxengine.com/release/development"}, {"tags": ["technical-description"], "url": "https://blog.stmcyber.com/pax-pos-cves-2023/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/"}, {"tags": ["third-party-advisory"], "url": "https://cert.pl/posts/2024/01/CVE-2023-4818/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:16:50.589Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://ppn.paxengine.com/release/development"}, {"tags": ["technical-description", "x_transferred"], "url": "https://blog.stmcyber.com/pax-pos-cves-2023/"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://cert.pl/posts/2024/01/CVE-2023-4818/"}]}, {"affected": [{"vendor": "paxtechnology", "product": "paydroid", "cpes": ["cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "8.1.0_sagittarius_11.1.50_20230614", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-26T19:54:23.742086Z", "id": "CVE-2023-42136", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T20:03:31.967Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://ppn.paxengine.com/release/development", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://blog.stmcyber.com/pax-pos-cves-2023/", "tags": ["technical-description", "x_transferred"]}, {"url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://cert.pl/posts/2024/01/CVE-2023-4818/", "tags": ["third-party-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T19:16:50.589Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-42136", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-26T19:54:23.742086Z"}}}], "affected": [{"cpes": ["cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*"], "vendor": "paxtechnology", "product": "paydroid", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "8.1.0_sagittarius_11.1.50_20230614"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-26T19:55:38.048Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Hubert Jasudowicz, Adam Kli\u015b and other members of STM Cyber R&D team"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "PAX Technology", "product": "POS terminals", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "11.1.50_20230614"}], "platforms": ["Android"], "defaultStatus": "unaffected"}], "datePublic": "2024-01-15T11:00:00.000Z", "references": [{"url": "https://ppn.paxengine.com/release/development", "tags": ["vendor-advisory"]}, {"url": "https://blog.stmcyber.com/pax-pos-cves-2023/", "tags": ["technical-description"]}, {"url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/", "tags": ["third-party-advisory"]}, {"url": "https://cert.pl/posts/2024/01/CVE-2023-4818/", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word.\n\n\n\n\nThe attacker must have shell access to the device in order to exploit this vulnerability.", "supportingMedia": [{"type": "text/html", "value": "<div>PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word.</div><div><br></div>The attacker must have shell access to the device in order to exploit this vulnerability.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2024-10-10T15:35:55.315Z"}}}, "cveMetadata": {"cveId": "CVE-2023-42136", "state": "PUBLISHED", "dateUpdated": "2024-10-10T15:35:55.315Z", "dateReserved": "2023-09-07T13:17:57.372Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2024-01-15T13:28:57.814Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "970DD715-DA0A-4E3B-A51A-4B04EEC55CC8", "versionEndIncluding": "8.1.0_sagittarius_11.1.50_20230614", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a50:-:*:*:*:*:*:*:*", "matchCriteriaId": "DFCCCD93-0374-4AE1-8986-E0997B53A51C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "970DD715-DA0A-4E3B-A51A-4B04EEC55CC8", "versionEndIncluding": "8.1.0_sagittarius_11.1.50_20230614", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a6650:-:*:*:*:*:*:*:*", "matchCriteriaId": "8C020172-6E0C-4265-B4C9-ED93C84FE8AA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "970DD715-DA0A-4E3B-A51A-4B04EEC55CC8", "versionEndIncluding": "8.1.0_sagittarius_11.1.50_20230614", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a800:-:*:*:*:*:*:*:*", "matchCriteriaId": "AFCD5218-5AA0-4086-926C-3EAEE1E43136", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "970DD715-DA0A-4E3B-A51A-4B04EEC55CC8", "versionEndIncluding": "8.1.0_sagittarius_11.1.50_20230614", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a77:-:*:*:*:*:*:*:*", "matchCriteriaId": "0390BD9D-1FF7-456E-9394-34F009DE82CF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "970DD715-DA0A-4E3B-A51A-4B04EEC55CC8", "versionEndIncluding": "8.1.0_sagittarius_11.1.50_20230614", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a920:-:*:*:*:*:*:*:*", "matchCriteriaId": "D351F870-D43F-48B4-B2AC-0FDDD7B82ED4", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "970DD715-DA0A-4E3B-A51A-4B04EEC55CC8", "versionEndIncluding": "8.1.0_sagittarius_11.1.50_20230614", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a920_pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "FF80918D-3453-4F42-A8A0-DA993C398394", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "970DD715-DA0A-4E3B-A51A-4B04EEC55CC8", "versionEndIncluding": "8.1.0_sagittarius_11.1.50_20230614", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:a920_max:-:*:*:*:*:*:*:*", "matchCriteriaId": "8612B592-DFE4-4B66-B24D-71EEA747FAA2", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:paxtechnology:paydroid:*:*:*:*:*:*:*:*", "matchCriteriaId": "970DD715-DA0A-4E3B-A51A-4B04EEC55CC8", "versionEndIncluding": "8.1.0_sagittarius_11.1.50_20230614", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:paxtechnology:d190:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB9483F8-5201-4F31-9F9A-F00A48C4C972", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "PAX Android based POS devices with PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 or earlier can allow the execution of arbitrary commands with system account privilege by shell injection starting with a specific word.\n\n\n\n\nThe attacker must have shell access to the device in order to exploit this vulnerability."}, {"lang": "es", "value": "Los dispositivos POS PAX basados en Android con PayDroid_8.1.0_Sagittarius_V11.1.50_20230614 o anterior pueden permitir la ejecuci\u00f3n de comandos arbitrarios con privilegios de cuenta del sistema mediante inyecci\u00f3n de shell comenzando con una palabra espec\u00edfica. El atacante debe tener acceso de shell al dispositivo para poder aprovechar esta vulnerabilidad."}], "id": "CVE-2023-42136", "lastModified": "2024-11-21T08:22:20.893", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "cvd@cert.pl", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-15T14:15:24.670", "references": [{"source": "cvd@cert.pl", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.stmcyber.com/pax-pos-cves-2023/"}, {"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/"}, {"source": "cvd@cert.pl", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/01/CVE-2023-4818/"}, {"source": "cvd@cert.pl", "tags": ["Permissions Required"], "url": "https://ppn.paxengine.com/release/development"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://blog.stmcyber.com/pax-pos-cves-2023/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/en/posts/2024/01/CVE-2023-4818/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://cert.pl/posts/2024/01/CVE-2023-4818/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://ppn.paxengine.com/release/development"}], "sourceIdentifier": "cvd@cert.pl", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "cvd@cert.pl", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}