CVE-2023-28461

Warnung

EPSS 87.18%
Veröffentlicht 15.03.2023 23:15:10
Zuletzt bearbeitet 03.11.2025 18:14:11
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."

Betroffene Produkte Warnungen 1 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Arraynetworks ≫ Arrayos Ag Version <= 9.4.0.481

   Arraynetworks ≫ Ag1000 Version-
   Arraynetworks ≫ Ag1000t Version-
   Arraynetworks ≫ Ag1000v5 Version-
   Arraynetworks ≫ Ag1100v5 Version-
   Arraynetworks ≫ Ag1150 Version-
   Arraynetworks ≫ Ag1200 Version-
   Arraynetworks ≫ Ag1200v5 Version-
   Arraynetworks ≫ Ag1500 Version-
   Arraynetworks ≫ Ag1500fips Version-
   Arraynetworks ≫ Ag1500v5 Version-
   Arraynetworks ≫ Ag1600 Version-
   Arraynetworks ≫ Ag1600v5 Version-
   Arraynetworks ≫ Vxag Version-

25.11.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

Array Networks AG and vxAG ArrayOS Missing Authentication for Critical Function Vulnerability

Schwachstelle

Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files and execute code on the SSL VPN gateway.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	87.18%	0.994

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf

Vendor Advisory

Mitigation

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-28461

US Government Resource

https://nvd.nist.gov/vuln/detail/CVE-2023-28461

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-28461

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-28461

EUVD