CVE-2023-49694 - Vulnerability Details - OpenCVE

Description

A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM.

Published: 2023-11-29

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NETGEAR

NETGEAR ProSAFE Network Management System

unaffected

Version	Status	Constraints
`0`	affected	< 1.7.0.34

Configuration 1 [-]

cpe:2.3:a:netgear:prosafe_network_management_system:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

Vendor Solution

The issue has been fixed in NMS300 version 1.7.0.31

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2023-53628	A low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0009.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://kb.netgear.com/000065885/Security-Advisory-for-Vertical-Privilege-Escalation-on-the-NMS300-PSV-2023-0127
https://www.tenable.com/security/research/tra-2023-39

History

No history.

Subscriptions

Netgear Prosafe Network Management System

MITRE

Status: PUBLISHED

Assigner: tenable

Published: 2023-11-29T22:47:42.597Z

Updated: 2024-08-02T22:01:25.766Z

Reserved: 2023-11-29T22:03:49.958Z

Link: CVE-2023-49694

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-11-29T23:15:20.750

Modified: 2024-11-21T08:33:42.957

Link: CVE-2023-49694

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-49694", "assignerOrgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "state": "PUBLISHED", "assignerShortName": "tenable", "dateReserved": "2023-11-29T22:03:49.958Z", "datePublished": "2023-11-29T22:47:42.597Z", "dateUpdated": "2024-08-02T22:01:25.766Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "NETGEAR ProSAFE Network Management System", "vendor": "NETGEAR", "versions": [{"lessThan": "1.7.0.34", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2023-11-29T22:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n\n\nA low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM.\n\n\n\n"}], "value": "\n\n\nA low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5ac1ecc2-367a-4d16-a0b2-35d495ddd0be", "shortName": "tenable", "dateUpdated": "2023-11-29T22:47:42.597Z"}, "references": [{"url": "https://www.tenable.com/security/research/tra-2023-39"}, {"url": "https://kb.netgear.com/000065885/Security-Advisory-for-Vertical-Privilege-Escalation-on-the-NMS300-PSV-2023-0127"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nThe issue has been fixed in NMS300 version 1.7.0.31\n\n<br>"}], "value": "\nThe issue has been fixed in NMS300 version 1.7.0.31\n\n\n"}], "source": {"discovery": "UNKNOWN"}, "title": "NETGEAR ProSAFE Network Management System Privilege Escalation Via MySQL Server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:01:25.766Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.tenable.com/security/research/tra-2023-39", "tags": ["x_transferred"]}, {"url": "https://kb.netgear.com/000065885/Security-Advisory-for-Vertical-Privilege-Escalation-on-the-NMS300-PSV-2023-0127", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netgear:prosafe_network_management_system:*:*:*:*:*:*:*:*", "matchCriteriaId": "9A616F4D-0720-4399-8630-F0A017A50439", "versionEndExcluding": "1.7.0.31", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\n\n\nA low-privileged OS user with access to a Windows host where NETGEAR ProSAFE Network Management System is installed can create arbitrary JSP files in a Tomcat web application directory. The user can then execute the JSP files under the security context of SYSTEM.\n\n\n\n"}, {"lang": "es", "value": "Un usuario de sistema operativo con pocos privilegios y acceso a un host de Windows donde est\u00e1 instalado NETGEAR ProSAFE Network Management System puede crear archivos JSP arbitrarios en un directorio de aplicaci\u00f3n web Tomcat. Luego, el usuario puede ejecutar los archivos JSP bajo el contexto de seguridad de SYSTEM."}], "id": "CVE-2023-49694", "lastModified": "2024-11-21T08:33:42.957", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "vulnreport@tenable.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-29T23:15:20.750", "references": [{"source": "vulnreport@tenable.com", "tags": ["Vendor Advisory"], "url": "https://kb.netgear.com/000065885/Security-Advisory-for-Vertical-Privilege-Escalation-on-the-NMS300-PSV-2023-0127"}, {"source": "vulnreport@tenable.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://www.tenable.com/security/research/tra-2023-39"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://kb.netgear.com/000065885/Security-Advisory-for-Vertical-Privilege-Escalation-on-the-NMS300-PSV-2023-0127"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://www.tenable.com/security/research/tra-2023-39"}], "sourceIdentifier": "vulnreport@tenable.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "vulnreport@tenable.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}