Security Advisory ZPE-NG-2023-001
Advisory ID: ZPE-NG-2023-001
First Published: October 27, 2023
CVE ID: CVE-2023-43322
CVSSv3 Score: 8.8 (High)
Command injection [CWE-77] is possible in the following API endpoints:
The implementation of these endpoints uses their arguments without neutralization to compose a command executed by a spawned shell.
This vulnerability does not allow to bypass authentication.
Nodegrid OS versions 5.0.0 to 5.0.17, 5.2.0 to 5.2.19, 5.4.0 to 5.4.16, 5.6.0 to 5.6.13, 5.8.0 to 5.8.10, and 5.10.0 to 5.10.3.
Nodegrid OS is used in the following products:
- Nodegrid Serial Console
- Nodegrid Serial Console Plus
- Nodegrid Net Services Router
- Nodegrid Gate SR
- Nodegrid Link SR
- Nodegrid Bold SR
- Nodegrid Hive SR
- Nodegrid Mini SR
- Nodegrid Manager
The attacker may execute a command from shell via an API endpoint that was not intended for that.
The command is executed as the authenticated user.
Upgrade to Nodegrid OS version 5.10.4 or above.
Upgrade to Nodegrid OS version 5.8.11 or above.
Upgrade to Nodegrid OS version 5.6.14 or above.
Upgrade to Nodegrid OS version 5.4.17 or above.
Upgrade to Nodegrid OS version 5.2.20 or above.
Upgrade to Nodegrid OS version 5.0.18 or above.
- 2023-08-03: Initial report
- 2023-08-11: Released 5.8.11 with a fix.
- 2023-08-25: Released 5.10.4 with a fix.
- 2023-09-29: Released 5.6.14 with a fix.
- 2023-10-20: Released 5.4.17, 5.2.20, and 5.0.18 with a fix.
- 2023-10-27: Initial public disclosure.
- 2023-11-03: Updated CVSS score.
This vulnerability was discovered and reported by Kevin Humphreys, Backbone Engineering, Meta.