Back

CVE-2023-27370

May 3, 2024, 12:50 p.m.

Awaiting Analysis
CVE has been recently published to the CVE List and has been received by the NVD.

Products

NETGEAR RAX30 router

NETGEAR RAX30 Router

Source

zdi-disclosures@trendmicro.com

Tags

zdi-disclosures@trendmicro.com
2024-05-03
CVE-2023-27370
CWE-312

CVE-2023-27370 details

Published : May 3, 2024, 2:15 a.m.
Last Modified : May 3, 2024, 12:50 p.m.

Description

NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of NETGEAR RAX30 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of device configuration. The issue results from the storage of configuration secrets in plaintext. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-19841.

CVSS Score

1 2 3 4 5.7 6 7 8 9 10

Weakness

Weakness Name Description

CVSS Data

Attack Vector

ADJACENT_NETWORK

Attack Complexity

LOW

Privileges Required

LOW

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

Base Score

5.7

Exploitability Score

Impact Score

Base Severity

MEDIUM

Vector String : CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

URL Source
https://kb.netgear.com/000065619/Security-Advisory-for-Multiple-Vulnerabilities-on-the-RAX30-PSV-2022-0348 zdi-disclosures@trendmicro.com
https://www.zerodayinitiative.com/advisories/ZDI-23-501/ zdi-disclosures@trendmicro.com
This website uses the NVD API, but is not approved or certified by it.