CVE-2023-50920

Exploit

EPSS 0.01%
Veröffentlicht 12.01.2024 08:15:43
Zuletzt bearbeitet 17.06.2025 16:15:27
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered on GL.iNet devices before version 4.5.0. They assign the same session ID after each user reboot, allowing attackers to share session identifiers between different sessions and bypass authentication or access control measures. Attackers can impersonate legitimate users or perform unauthorized actions. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR300M 4.3.7, and B1300 4.3.7.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Gl-inet ≫ Gl-ax1800 Firmware Version4.3.7

Gl-inet ≫ Gl-ax1800 Version-

Gl-inet ≫ Gl-ax1800 Firmware Version4.4.6

Gl-inet ≫ Gl-ax1800 Version-

Gl-inet ≫ Gl-axt1800 Firmware Version4.3.7

Gl-inet ≫ Gl-axt1800 Version-

Gl-inet ≫ Gl-axt1800 Firmware Version4.4.6

Gl-inet ≫ Gl-axt1800 Version-

Gl-inet ≫ Gl-mt3000 Firmware Version4.3.7

Gl-inet ≫ Gl-mt3000 Version-

Gl-inet ≫ Gl-mt3000 Firmware Version4.4.6

Gl-inet ≫ Gl-mt3000 Version-

Gl-inet ≫ Gl-mt2500 Firmware Version4.3.7

Gl-inet ≫ Gl-mt2500 Version-

Gl-inet ≫ Gl-mt2500 Firmware Version4.4.6

Gl-inet ≫ Gl-mt2500 Version-

Gl-inet ≫ Gl-mt6000 Firmware Version4.3.7

Gl-inet ≫ Gl-mt6000 Version-

Gl-inet ≫ Gl-mt6000 Firmware Version4.4.6

Gl-inet ≫ Gl-mt6000 Version-

Gl-inet ≫ Gl-mt1300 Firmware Version4.3.7

Gl-inet ≫ Gl-mt1300 Version-

Gl-inet ≫ Gl-mt1300 Firmware Version4.4.6

Gl-inet ≫ Gl-mt1300 Version-

Gl-inet ≫ Gl-mt300n-v2 Firmware Version4.3.7

Gl-inet ≫ Gl-mt300n-v2 Version-

Gl-inet ≫ Gl-mt300n-v2 Firmware Version4.4.6

Gl-inet ≫ Gl-mt300n-v2 Version-

Gl-inet ≫ Gl-ar750s Firmware Version4.3.7

Gl-inet ≫ Gl-ar750s Version-

Gl-inet ≫ Gl-ar750s Firmware Version4.4.6

Gl-inet ≫ Gl-ar750s Version-

Gl-inet ≫ Gl-ar750 Firmware Version4.3.7

Gl-inet ≫ Gl-ar750 Version-

Gl-inet ≫ Gl-ar750 Firmware Version4.4.6

Gl-inet ≫ Gl-ar750 Version-

Gl-inet ≫ Gl-ar300m Firmware Version4.3.7

Gl-inet ≫ Gl-ar300m Version-

Gl-inet ≫ Gl-ar300m Firmware Version4.4.6

Gl-inet ≫ Gl-ar300m Version-

Gl-inet ≫ Gl-b1300 Firmware Version4.3.7

Gl-inet ≫ Gl-b1300 Version-

Gl-inet ≫ Gl-b1300 Firmware Version4.4.6

Gl-inet ≫ Gl-b1300 Version-

Gl-inet ≫ Gl-a1300 Firmware Version4.3.7

Gl-inet ≫ Gl-a1300 Version-

Gl-inet ≫ Gl-a1300 Firmware Version4.4.6

Gl-inet ≫ Gl-a1300 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.01

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	5.5	1.8	3.6	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE-384 Session Fixation

Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.

https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Authentication-bypass-seesion-ID.md

Vendor Advisory

Exploit

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2023-50920

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-50920

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-50920

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-50920