CVE-2024-39227

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-39227
GL-iNet products AR750/AR750S/AR300M/AR300M16/MT300N-V2/B1300/MT1300/SFT1200/X750 v4.3.11, MT3000/MT2500/AXT1800/AX1800/A1300/X300B v4.5.16, XE300 v4.3.16, E750 v4.3.12, AP1300/S1300 v4.3.13, and XE3000/X3000 v4.4 were discovered to contain insecure permissions in the endpoint /cgi-bin/glc. This vulnerability allows unauthenticated attackers to execute arbitrary code or possibly a directory traversal via crafted JSON data.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Access%20to%20the%20C%20library%20without%20logging%20in.md Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:gl-inet:mt6000_firmware:4.5.8:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt6000:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:gl-inet:a1300_firmware:4.5.16:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:a1300:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:gl-inet:x300b_firmware:4.5.16:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x300b:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:gl-inet:ax1800_firmware:4.5.16:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ax1800:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:gl-inet:axt1800_firmware:4.5.16:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:axt1800:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:gl-inet:mt2500_firmware:4.5.16:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt2500:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:gl-inet:mt3000_firmware:4.5.16:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt3000:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:gl-inet:x3000_firmware:4.4.8:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x3000:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:gl-inet:xe3000_firmware:4.4.8:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe3000:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:gl-inet:xe300_firmware:4.3.16:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:xe300:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:gl-inet:e750_firmware:4.3.12:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:e750:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:gl-inet:x750_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:x750:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:gl-inet:sft1200_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:sft1200:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:gl-inet:ar300m_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m:-:*:*:*:*:*:*:*

Configuration 15 (hide)

AND
cpe:2.3:o:gl-inet:ar300m16_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar300m16:-:*:*:*:*:*:*:*

Configuration 16 (hide)

AND
cpe:2.3:o:gl-inet:ar750_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750:-:*:*:*:*:*:*:*

Configuration 17 (hide)

AND
cpe:2.3:o:gl-inet:ar750s_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ar750s:-:*:*:*:*:*:*:*

Configuration 18 (hide)

AND
cpe:2.3:o:gl-inet:b1300_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b1300:-:*:*:*:*:*:*:*

Configuration 19 (hide)

AND
cpe:2.3:o:gl-inet:mt1300_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt1300:-:*:*:*:*:*:*:*

Configuration 20 (hide)

AND
cpe:2.3:o:gl-inet:mt300n-v2_firmware:4.3.11:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mt300n-v2:-:*:*:*:*:*:*:*

Configuration 21 (hide)

AND
cpe:2.3:o:gl-inet:ap1300_firmware:3.217:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:ap1300:-:*:*:*:*:*:*:*

Configuration 22 (hide)

AND
cpe:2.3:o:gl-inet:b2200_firmware:3.216:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:b2200:-:*:*:*:*:*:*:*

Configuration 23 (hide)

AND
cpe:2.3:o:gl-inet:mv1000_firmware:3.216:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mv1000:-:*:*:*:*:*:*:*

Configuration 24 (hide)

AND
cpe:2.3:o:gl-inet:mv1000w_firmware:3.216:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:mv1000w:-:*:*:*:*:*:*:*

Configuration 25 (hide)

AND
cpe:2.3:o:gl-inet:usb150_firmware:3.216:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:usb150:-:*:*:*:*:*:*:*

Configuration 26 (hide)

AND
cpe:2.3:o:gl-inet:sf1200_firmware:3.216:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:sf1200:-:*:*:*:*:*:*:*

Configuration 27 (hide)

AND
cpe:2.3:o:gl-inet:n300_firmware:3.216:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:n300:-:*:*:*:*:*:*:*

Configuration 28 (hide)

AND
cpe:2.3:o:gl-inet:s1300_firmware:3.216:*:*:*:*:*:*:*
cpe:2.3:h:gl-inet:s1300:-:*:*:*:*:*:*:*
History

No history.

Information

Published : 2024-08-06 17:15

Updated : 2024-08-15 16:15

NVD link : CVE-2024-39227

Mitre link : CVE-2024-39227

CVE.ORG link : CVE-2024-39227

JSON object : View

Products Affected

gl-inet

  • ar750_firmware
  • b2200
  • s1300_firmware
  • mt300n-v2
  • mt300n-v2_firmware
  • ar750s_firmware
  • ap1300_firmware
  • n300_firmware
  • axt1800
  • mt2500_firmware
  • ar300m
  • sf1200
  • mt3000_firmware
  • mt1300_firmware
  • mt6000_firmware
  • x300b_firmware
  • ar300m16_firmware
  • b2200_firmware
  • xe300_firmware
  • ap1300
  • axt1800_firmware
  • e750_firmware
  • sft1200
  • usb150
  • x300b
  • mv1000
  • mt3000
  • x750_firmware
  • b1300
  • mv1000w
  • ar300m16
  • mt1300
  • a1300
  • mt6000
  • ax1800
  • mv1000_firmware
  • x750
  • a1300_firmware
  • sft1200_firmware
  • xe300
  • s1300
  • xe3000
  • x3000_firmware
  • e750
  • ar750s
  • x3000
  • ar300m_firmware
  • b1300_firmware
  • ax1800_firmware
  • sf1200_firmware
  • mt2500
  • n300
  • mv1000w_firmware
  • xe3000_firmware
  • usb150_firmware
  • ar750
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)