CVE-2024-30368

EPSS 3.94%
Published 06.06.2024 18:15:13
Last modified 21.11.2024 09:11:47
Source zdi-disclosures@trendmicro.com
Teams watchlist Login
Open Login

A10 Thunder ADC CsrRequestView Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of A10 Thunder ADC. Authentication is required to exploit this vulnerability.

The specific flaw exists within the CsrRequestView class. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of a10user. Was ZDI-CAN-22517.

Affected products Warnungen 0 Metrics 3 CWE 2 References 5

Data is provided by the National Vulnerability Database (NVD)

A10networks ≫ Advanced Core Operating System Version4.1.4 Update-

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p1

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p10

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p11

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p12

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p13

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p2

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p3

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p4

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p5

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p6

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p7

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p8

A10networks ≫ Advanced Core Operating System Version4.1.4 Updategr1-p9

A10networks ≫ Advanced Core Operating System Version4.1.4 Updatep1

A10networks ≫ Advanced Core Operating System Version4.1.4 Updatep2

A10networks ≫ Advanced Core Operating System Version4.1.4 Updatep3

A10networks ≫ Advanced Core Operating System Version5.1.0 Update-

A10networks ≫ Advanced Core Operating System Version5.1.0 Updatep3

A10networks ≫ Advanced Core Operating System Version5.1.0 Updatep4

A10networks ≫ Advanced Core Operating System Version5.1.0 Updatep5

A10networks ≫ Advanced Core Operating System Version5.1.0 Updatep6

A10networks ≫ Advanced Core Operating System Version5.2.0 Update-

A10networks ≫ Advanced Core Operating System Version5.2.0 Updatep1

A10networks ≫ Advanced Core Operating System Version5.2.1 Update-

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep1

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep2

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep3

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep4

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep5

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep6

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep7

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep8

A10networks ≫ Advanced Core Operating System Version5.2.1 Updatep9

A10networks ≫ Advanced Core Operating System Version6.0.0 Update-

A10networks ≫ Advanced Core Operating System Version6.0.0 Updatep1

A10networks ≫ Advanced Core Operating System Version6.0.0 Updatep2

A10networks ≫ Advanced Core Operating System Version6.0.0 Updatep2-sp1

A10networks ≫ Advanced Core Operating System Version6.0.1

A10networks ≫ Advanced Core Operating System Version6.0.2 Update-

A10networks ≫ Advanced Core Operating System Version6.0.2 Updatep1

A10networks ≫ Advanced Core Operating System Version6.0.3 Update-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	3.94%	0.879

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
zdi-disclosures@trendmicro.com	7.2	1.2	5.9	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://support.a10networks.com/support/security_advisory/cve-2024-30368-cve-2024-30369

Vendor Advisory

https://www.zerodayinitiative.com/advisories/ZDI-24-524/

Third Party Advisory

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2024-30368

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-30368

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-30368

EUVD