Vulnerabilites related to ui - er-8-xg
CVE-2023-23912 (GCVE-0-2023-23912)
Vulnerability from cvelistv5
Published
2023-02-09 00:00
Modified
2025-03-24 19:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-75 - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) ()
Summary
A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Ubiquiti EdgeRouter(s) and USG(s) |
Version: EdgeRouter(s) Version 2.0.9-hotfix.6 or later and USG(s) to Version 4.4.57 or later |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:42:27.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23912",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-24T19:01:41.360781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-24T19:02:10.197Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Ubiquiti EdgeRouter(s) and USG(s)",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "EdgeRouter(s) Version 2.0.9-hotfix.6 or later and USG(s) to Version 4.4.57 or later"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-75",
"description": "Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) (CWE-75)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-09T00:00:00.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2023-23912",
"datePublished": "2023-02-09T00:00:00.000Z",
"dateReserved": "2023-01-19T00:00:00.000Z",
"dateUpdated": "2025-03-24T19:02:10.197Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2019-16889 (GCVE-0-2019-16889)
Vulnerability from cvelistv5
Published
2019-09-25 19:51
Modified
2024-08-05 01:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:24:48.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/406614"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-09-25T19:51:38",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/406614"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16889",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/",
"refsource": "MISC",
"url": "https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/"
},
{
"name": "https://hackerone.com/reports/406614",
"refsource": "MISC",
"url": "https://hackerone.com/reports/406614"
},
{
"name": "https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643",
"refsource": "MISC",
"url": "https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16889",
"datePublished": "2019-09-25T19:51:38",
"dateReserved": "2019-09-25T00:00:00",
"dateUpdated": "2024-08-05T01:24:48.289Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2019-09-25 20:15
Modified
2024-11-21 04:31
Severity ?
Summary
Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643 | Patch, Vendor Advisory | |
| cve@mitre.org | https://hackerone.com/reports/406614 | Exploit, Issue Tracking, Third Party Advisory | |
| cve@mitre.org | https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/ | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/406614 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/ | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ui | er-x_firmware | * | |
| ui | er-x | - | |
| ui | er-x-sfp_firmware | * | |
| ui | er-x-sfp | - | |
| ui | ep-r6_firmware | * | |
| ui | ep-r6 | - | |
| ui | erlite-3_firmware | * | |
| ui | erlite-3 | - | |
| ui | erpoe-5_firmware | * | |
| ui | erpoe-5 | - | |
| ui | er-8_firmware | * | |
| ui | er-8 | - | |
| ui | erpro-8_firmware | * | |
| ui | erpro-8 | - | |
| ui | ep-r8_firmware | * | |
| ui | ep-r8 | - | |
| ui | er-4_firmware | * | |
| ui | er-4 | - | |
| ui | er-6p_firmware | * | |
| ui | er-6p | - | |
| ui | er-12_firmware | * | |
| ui | er-12 | - | |
| ui | er-8-xg_firmware | * | |
| ui | er-8-xg | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-x_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "12000017-B53B-4A2A-A7ED-3869BF7671B3",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-x:-:*:*:*:*:*:*:*",
"matchCriteriaId": "91B9AD72-BF39-4731-85B9-26036F7C425B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-x-sfp_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "37FDB6EC-6ECA-4CD6-931D-28D52CF2DF6C",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-x-sfp:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4F922D6E-7C6D-4984-A0DF-6EDC0C7A9900",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:ep-r6_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "63162607-4EBA-49B7-8DBC-5D3EFD0C523A",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:ep-r6:-:*:*:*:*:*:*:*",
"matchCriteriaId": "FF781B02-254D-4A5F-A98B-089E87ADB293",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:erlite-3_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0068C171-0F72-4FCE-8AD4-B6237FCD4B73",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:erlite-3:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0071AC31-76DE-4787-9ED3-A93119B7D4A9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:erpoe-5_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "883E0737-80B7-484A-A2D6-75CFB069331E",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:erpoe-5:-:*:*:*:*:*:*:*",
"matchCriteriaId": "966719CB-C9DD-41DF-8DE1-51491400C251",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-8_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C2947841-43B3-4F61-96B3-78BAB8848E4A",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-8:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C941B4B4-D117-4934-BDB0-3E7EB707CBD6",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:erpro-8_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5D3321B7-E3AE-4935-ADA0-FCCEF43C86A8",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:erpro-8:-:*:*:*:*:*:*:*",
"matchCriteriaId": "B103990A-E41C-45C0-861A-E5A133DAB312",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:ep-r8_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1867AAD3-E437-4D9F-9D7E-C19F3EB0EA95",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:ep-r8:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AC9D64BD-3A85-4100-9326-67289D4E07F9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-4_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7120C8C4-535F-4AB8-8A31-DF341BCB1659",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C0DBDD16-1FDE-45FA-9A5C-44BCF44D70FB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-6p_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C5FBCB4-E305-4D4C-A6FF-B38E4123125B",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-6p:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E9EA558B-7CF3-4CD0-8D73-A6BC646948C9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-12_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E534058-D49B-4771-BC75-178ACB5BEB01",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-12:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0A7DEE4B-D49C-4D11-9AA8-3F422DDF8964",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-8-xg_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E5BCFE8-C74D-4DED-828A-B0A4213C62B9",
"versionEndExcluding": "2.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-8-xg:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EBB1CDE7-F121-4D6A-A729-C6A1F27100E8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs."
},
{
"lang": "es",
"value": "Los dispositivos Ubiquiti EdgeMAX versiones anteriores a 2.0.3, permiten a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de disco) porque los archivos *.cache en /var/run/beaker/container_file/ son creados cuando se proporciona una carga \u00fatil de longitud v\u00e1lida de 249 caracteres o menos para la cookie beaker.session.id en un encabezado GET. El atacante puede utilizar una larga serie de los ID de sesi\u00f3n \u00fanicos."
}
],
"id": "CVE-2019-16889",
"lastModified": "2024-11-21T04:31:16.817",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-09-25T20:15:11.120",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/406614"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/406614"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-02-09 20:15
Modified
2025-03-24 19:15
Severity ?
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f | Exploit, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f | Exploit, Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:usg_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "42EEFED0-A2A2-4331-A87A-A181742D0550",
"versionEndExcluding": "4.4.57",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:usg:-:*:*:*:*:*:*:*",
"matchCriteriaId": "59478336-F60A-4963-A3E3-89B04A119223",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:usg-pro-4_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7074B37B-FBD0-4484-96FA-15F51661CBD7",
"versionEndExcluding": "4.4.57",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:usg-pro-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "D357AC52-6588-45F2-ACAC-165B4C97F464",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-10x_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0443C2FC-354E-47A1-A73B-912DD16EA216",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-10x_firmware:2.0.9:-:*:*:*:*:*:*",
"matchCriteriaId": "91B1E29D-7EEA-42BE-BB73-2EDF0DF1D7B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-10x_firmware:2.0.9:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "0C20F448-B93A-49CA-BB13-FBCB08BB9D4F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-10x_firmware:2.0.9:hotfix4:*:*:*:*:*:*",
"matchCriteriaId": "B0CC4F6A-660D-4EED-886D-63E8EA9723B4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-10x_firmware:2.0.9:hotfix5:*:*:*:*:*:*",
"matchCriteriaId": "32E6424A-4E41-4DDA-A8FE-66C0DE007623",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-10x:-:*:*:*:*:*:*:*",
"matchCriteriaId": "257D043B-BBD0-45D5-AEA4-32DC720F3C2B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-12_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0FAD0529-AA21-48D4-86CC-663381C8C211",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-12_firmware:2.0.9:-:*:*:*:*:*:*",
"matchCriteriaId": "6E80E56E-A867-40F0-B5E7-B4B0CE4F912F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-12_firmware:2.0.9:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "12E1323D-1078-4501-A8FD-7DB263F2411E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-12_firmware:2.0.9:hotfix4:*:*:*:*:*:*",
"matchCriteriaId": "0D6756AB-F23F-4060-B38F-DBAA0BC8733B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-12_firmware:2.0.9:hotfix5:*:*:*:*:*:*",
"matchCriteriaId": "B10F7FBC-3274-4CB7-AA87-72C2B43DA457",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-12:-:*:*:*:*:*:*:*",
"matchCriteriaId": "0A7DEE4B-D49C-4D11-9AA8-3F422DDF8964",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-12p_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "80B96493-2E6D-4F9E-AD41-CD1AB46C0650",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-12p_firmware:2.0.9:-:*:*:*:*:*:*",
"matchCriteriaId": "D99F46FE-6FA5-4995-B9AB-6DA45AC6AC84",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-12p_firmware:2.0.9:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "AB366C51-77CB-4DA9-957B-873A814EFAD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-12p_firmware:2.0.9:hotfix4:*:*:*:*:*:*",
"matchCriteriaId": "9015D609-89CF-4296-9E79-24E39F4C6AA0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-12p_firmware:2.0.9:hotfix5:*:*:*:*:*:*",
"matchCriteriaId": "FA39BE0A-9BEA-4578-87E6-AD2402DBC101",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-12p:-:*:*:*:*:*:*:*",
"matchCriteriaId": "510797FB-103E-43D3-843B-5330716A13F5",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-4_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DA799FF3-1F2A-421D-AB8C-1078F82EA42C",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-4_firmware:2.0.9:-:*:*:*:*:*:*",
"matchCriteriaId": "E0E5186F-3777-4A48-B26C-B2E9ADDA5142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-4_firmware:2.0.9:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "98E75674-504E-4F23-A326-C3257C3B8A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-4_firmware:2.0.9:hotfix4:*:*:*:*:*:*",
"matchCriteriaId": "0D425830-846B-4DE1-A894-C5204B2FB38E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-4_firmware:2.0.9:hotfix5:*:*:*:*:*:*",
"matchCriteriaId": "A40D50F4-2207-4A04-B9A1-62B0E8A93C88",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-4:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C0DBDD16-1FDE-45FA-9A5C-44BCF44D70FB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-6p_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F2A602FE-52D8-4532-B251-7B297D48DBC2",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-6p_firmware:2.0.9:-:*:*:*:*:*:*",
"matchCriteriaId": "4EB4D4A9-F899-4F48-BE36-DF0EF01D54F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-6p_firmware:2.0.9:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "49C9FDF4-38A0-4F3F-A254-C23124E9C815",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-6p_firmware:2.0.9:hotfix4:*:*:*:*:*:*",
"matchCriteriaId": "1DDE4F7A-0BB2-4160-845C-D98005B48616",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-6p_firmware:2.0.9:hotfix5:*:*:*:*:*:*",
"matchCriteriaId": "3C15499E-CEE1-4E40-8288-243FAE540B99",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-6p:-:*:*:*:*:*:*:*",
"matchCriteriaId": "E9EA558B-7CF3-4CD0-8D73-A6BC646948C9",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-8-xg_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "136672C3-79AD-4CBE-B4D1-22D5CCA49358",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-8-xg_firmware:2.0.9:-:*:*:*:*:*:*",
"matchCriteriaId": "EE42C156-EAD4-4594-A45C-3445396D085F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-8-xg_firmware:2.0.9:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "B9DFC719-7376-482C-8406-8F8B4903F3B9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-8-xg_firmware:2.0.9:hotfix4:*:*:*:*:*:*",
"matchCriteriaId": "C4B6811C-71A1-4E80-B4E1-146D6712FF06",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-8-xg_firmware:2.0.9:hotfix5:*:*:*:*:*:*",
"matchCriteriaId": "5D680162-9253-49E6-8907-EEE0EF59517B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-8-xg:-:*:*:*:*:*:*:*",
"matchCriteriaId": "EBB1CDE7-F121-4D6A-A729-C6A1F27100E8",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-x_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E5C7E0B-4335-44F0-A19F-6E68D9CFD5AF",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-x_firmware:2.0.9:-:*:*:*:*:*:*",
"matchCriteriaId": "9DB3EE14-A555-4DCA-9C16-F3D72489F10C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "2844D28C-FAD9-498A-93FF-7A4A217210A8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix4:*:*:*:*:*:*",
"matchCriteriaId": "B0473F8F-8D1E-4CEB-A7FC-979F3F3AAF29",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-x_firmware:2.0.9:hotfix5:*:*:*:*:*:*",
"matchCriteriaId": "C5D34B1D-9F1F-4A1F-A76C-FB4EE83D08F7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-x:-:*:*:*:*:*:*:*",
"matchCriteriaId": "91B9AD72-BF39-4731-85B9-26036F7C425B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:ui:er-x-sfp_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "34DA36D8-F0BD-4E98-A74C-5D50AD0980C5",
"versionEndExcluding": "2.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:-:*:*:*:*:*:*",
"matchCriteriaId": "906F4A72-7C6D-45FD-875F-2D2791CE9F4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix2:*:*:*:*:*:*",
"matchCriteriaId": "B919E33F-AC70-432C-A3F8-29FDFC710BB0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix4:*:*:*:*:*:*",
"matchCriteriaId": "FFEE96EB-D8AE-4B23-B090-E86FBA4BEF73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:ui:er-x-sfp_firmware:2.0.9:hotfix5:*:*:*:*:*:*",
"matchCriteriaId": "101616F2-CA1A-4BF0-9025-F20EDA26F235",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:ui:er-x-sfp:-:*:*:*:*:*:*:*",
"matchCriteriaId": "4F922D6E-7C6D-4984-A0DF-6EDC0C7A9900",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability."
}
],
"id": "CVE-2023-23912",
"lastModified": "2025-03-24T19:15:41.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2023-02-09T20:15:11.740",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-028-028/696e4e3b-718c-4da4-9a21-965a85633b5f"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-75"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}