9.8

CVE-2023-38034

A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE).

 
Affected Products:
All UniFi Access Points (Version 6.5.53 and earlier)
All UniFi Switches (Version 6.5.32 and earlier) 
-USW Flex Mini excluded.
 

Mitigation:
Update UniFi Access Points to Version 6.5.62 or later.
Update UniFi Switches to Version 6.5.59 or later.

Data is provided by the National Vulnerability Database (NVD)
UiUnifi Uap Firmware Version <= 6.5.53
   UiU6+ Version-
   UiU6-enterprise Version-
   UiU6-enterprise-iw Version-
   UiU6-extender Version-
   UiU6-iw Version-
   UiU6-lite Version-
   UiU6-lr Version-
   UiU6-mesh Version-
   UiU6-pro Version-
   UiUap-ac-iw Version-
   UiUap-ac-lite Version-
   UiUap-ac-lr Version-
   UiUap-ac-m Version-
   UiUap-ac-m-pro Version-
   UiUap-ac-pro Version-
   UiUbb Version-
   UiUbb-xg Version-
   UiUwb-xg Version-
UiUnifi Switch Firmware Version <= 6.5.32
   UiUs-16-150w Version-
   UiUs-24-250w Version-
   UiUs-48-500w Version-
   UiUs-8-150w Version-
   UiUs-8-60w Version-
   UiUs-xg-6poe Version-
   UiUsw-16-poe Version-
   UiUsw-24 Version-
   UiUsw-24-poe Version-
   UiUsw-48 Version-
   UiUsw-48-poe Version-
   UiUsw-aggregation Version-
   UiUsw-enterprise-24-poe Version-
   UiUsw-enterprise-48-poe Version-
   UiUsw-enterprise-8-poe Version-
   UiUsw-enterprisexg-24 Version-
   UiUsw-flex Version-
   UiUsw-flex-xg Version-
   UiUsw-industrial Version-
   UiUsw-lite-16-poe Version-
   UiUsw-lite-8-poe Version-
   UiUsw-mission-critical Version-
   UiUsw-pro-24 Version-
   UiUsw-pro-24-poe Version-
   UiUsw-pro-48 Version-
   UiUsw-pro-48-poe Version-
   UiUsw-pro-aggregation Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 2.74% 0.851
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
support@hackerone.com 8.3 1.6 6
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.