CVE-2024-31162 - Vulnerability Details - OpenCVE

Description

The specific function parameter of ASUS Download Master does not properly filter user input. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the device.

Published: 2024-06-14

Score: 7.2 High

EPSS: 1.4% Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ASUS

Download Master

unaffected

Version	Status	Constraints
`earlier`	affected	≤ 3.1.0.113

No data.

No data.

No data available yet.

Remediation

Vendor Solution

Update to 3.1.0.114 or later version.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2024-29066	The specific function parameter of ASUS Download Master does not properly filter user input. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the device.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.01409.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.twcert.org.tw/en/cp-139-7868-8a760-2.html
https://www.twcert.org.tw/tw/cp-132-7867-8fad9-1.html

History

No history.

Subscriptions

Asus Download Master

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2024-06-14T06:35:07.192Z

Updated: 2024-08-02T01:46:04.365Z

Reserved: 2024-03-29T07:18:19.359Z

Link: CVE-2024-31162

Vulnrichment

Updated: 2024-06-18T20:42:13.841Z

NVD

Status : Awaiting Analysis

Published: 2024-06-14T07:15:50.153

Modified: 2024-11-21T09:12:56.727

Link: CVE-2024-31162

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-78

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31162", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-03-29T07:18:19.359Z", "datePublished": "2024-06-14T06:35:07.192Z", "dateUpdated": "2024-08-02T01:46:04.365Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Download Master", "vendor": "ASUS", "versions": [{"lessThanOrEqual": "3.1.0.113", "status": "affected", "version": "earlier", "versionType": "custom"}]}], "datePublic": "2024-06-14T06:34:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The specific function parameter of ASUS Download Master does not properly filter user input. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the device."}], "value": "The specific function parameter of ASUS Download Master does not properly filter user input. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the device."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-06-14T06:35:07.192Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7867-8fad9-1.html"}, {"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/en/cp-139-7868-8a760-2.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 3.1.0.114 or later version."}], "value": "Update to 3.1.0.114 or later version."}], "source": {"advisory": "TVN-202406007", "discovery": "EXTERNAL"}, "title": "ASUS Download Master - OS Command Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "asus", "product": "download_master", "cpes": ["cpe:2.3:a:asus:download_master:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.1.0.113", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-06-18T20:29:57.054644Z", "id": "CVE-2024-31162", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T20:43:05.443Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:46:04.365Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-7867-8fad9-1.html"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://www.twcert.org.tw/en/cp-139-7868-8a760-2.html"}]}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-31162", "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "state": "PUBLISHED", "assignerShortName": "twcert", "dateReserved": "2024-03-29T07:18:19.359Z", "datePublished": "2024-06-14T06:35:07.192Z", "dateUpdated": "2024-06-18T20:43:05.443Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Download Master", "vendor": "ASUS", "versions": [{"lessThanOrEqual": "3.1.0.113", "status": "affected", "version": "earlier", "versionType": "custom"}]}], "datePublic": "2024-06-14T06:34:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The specific function parameter of ASUS Download Master does not properly filter user input. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the device."}], "value": "The specific function parameter of ASUS Download Master does not properly filter user input. An unauthenticated remote attacker with administrative privileges can exploit this vulnerability to execute arbitrary system commands on the device."}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert", "dateUpdated": "2024-06-14T06:35:07.192Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-7867-8fad9-1.html"}, {"tags": ["third-party-advisory"], "url": "https://www.twcert.org.tw/en/cp-139-7868-8a760-2.html"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to 3.1.0.114 or later version."}], "value": "Update to 3.1.0.114 or later version."}], "source": {"advisory": "TVN-202406007", "discovery": "EXTERNAL"}, "title": "ASUS Download Master - OS Command Injection", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-31162", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-06-18T20:29:57.054644Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:asus:download_master:*:*:*:*:*:*:*:*"], "vendor": "asus", "product": "download_master", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.1.0.113"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-18T20:42:13.841Z"}}]}}