CVE-2023-48194 - Vulnerability Details - OpenCVE

Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \x0. After executing set_client_qos, control over the gp register can be obtained.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00324.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Tenda	Ac8 Firmware Ac8v4 Ac8v4 Firmware

Configuration 1 [-]

AND

cpe:2.3:o:tenda:ac8v4_firmware:16.03.34.09:*:*:*:*:*:*:*

cpe:2.3:h:tenda:ac8v4:-:*:*:*:*:*:*:*

No data.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://tenda.com
https://github.com/zt20xx/CVE-2023-48194
https://www.tenda.com.cn/download/detail-3683.html

History

Thu, 24 Oct 2024 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tenda ac8 Firmware
CPEs		cpe:2.3:a:tenda:ac8_firmware:16.03.34.09:::::::*
Vendors & Products		Tenda ac8 Firmware
Metrics	cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Thu, 24 Oct 2024 17:45:00 +0000

Type	Values Removed	Values Added
References		https://www.tenda.com.cn/download/detail-3683.html

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2024-07-09T00:00:00

Updated: 2024-10-24T17:36:39.015027

Reserved: 2023-11-13T00:00:00

Link: CVE-2023-48194

Vulnrichment

Updated: 2024-08-02T21:23:39.221Z

NVD

Status : Modified

Published: 2024-07-09T18:15:08.790

Modified: 2024-11-21T08:31:11.740

Link: CVE-2023-48194

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-48194", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-24T17:36:39.015027", "dateReserved": "2023-11-13T00:00:00", "datePublished": "2024-07-09T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-24T17:36:39.015027"}, "descriptions": [{"lang": "en", "value": "Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \\x0. After executing set_client_qos, control over the gp register can be obtained."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://tenda.com"}, {"url": "https://github.com/zt20xx/CVE-2023-48194"}, {"url": "https://www.tenda.com.cn/download/detail-3683.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-787", "lang": "en", "description": "CWE-787 Out-of-bounds Write"}]}], "affected": [{"vendor": "tenda", "product": "ac8_firmware", "cpes": ["cpe:2.3:a:tenda:ac8_firmware:16.03.34.09:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "16.03.34.09", "status": "affected"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-10T14:56:58.589839Z", "id": "CVE-2023-48194", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T15:07:07.851Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:23:39.221Z"}, "title": "CVE Program Container", "references": [{"url": "http://tenda.com", "tags": ["x_transferred"]}, {"url": "https://github.com/zt20xx/CVE-2023-48194", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://tenda.com", "tags": ["x_transferred"]}, {"url": "https://github.com/zt20xx/CVE-2023-48194", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T21:23:39.221Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-48194", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-10T14:56:58.589839Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:tenda:ac8_firmware:16.03.34.09:*:*:*:*:*:*:*"], "vendor": "tenda", "product": "ac8_firmware", "versions": [{"status": "affected", "version": "16.03.34.09"}], "defaultStatus": "unknown"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787 Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T15:04:14.663Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://tenda.com"}, {"url": "https://github.com/zt20xx/CVE-2023-48194"}, {"url": "https://www.tenda.com.cn/download/detail-3683.html"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \\x0. After executing set_client_qos, control over the gp register can be obtained."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2024-10-24T17:36:39.015027"}}}, "cveMetadata": {"cveId": "CVE-2023-48194", "state": "PUBLISHED", "dateUpdated": "2024-10-24T17:36:39.015027", "dateReserved": "2023-11-13T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2024-07-09T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:tenda:ac8v4_firmware:16.03.34.09:*:*:*:*:*:*:*", "matchCriteriaId": "EBA24E9E-3F2C-48C7-96EE-09819A3FA43F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:tenda:ac8v4:-:*:*:*:*:*:*:*", "matchCriteriaId": "8EEC256B-442B-4FE8-8253-7A725CF66A6C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "Vulnerability in Tenda AC8v4 .V16.03.34.09 due to sscanf and the last digit of s8 being overwritten with \\x0. After executing set_client_qos, control over the gp register can be obtained."}, {"lang": "es", "value": "Vulnerabilidad en Tenda AC8v4 .V16.03.34.09 debido a que sscanf y el \u00faltimo d\u00edgito de s8 se sobrescriben con \\x0. Despu\u00e9s de ejecutar set_client_qos, se puede obtener el control sobre el registro gp."}], "id": "CVE-2023-48194", "lastModified": "2024-11-21T08:31:11.740", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-07-09T18:15:08.790", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://tenda.com"}, {"source": "cve@mitre.org", "tags": ["Exploit"], "url": "https://github.com/zt20xx/CVE-2023-48194"}, {"source": "cve@mitre.org", "url": "https://www.tenda.com.cn/download/detail-3683.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Not Applicable"], "url": "http://tenda.com"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "https://github.com/zt20xx/CVE-2023-48194"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}