CVE-2024-45416

EPSS 0.16%
Veröffentlicht 16.09.2024 21:15:46
Zuletzt bearbeitet 20.09.2024 12:31:20
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

The HTTPD binary in multiple ZTE routers has a local file inclusion vulnerability in session_init function. The session -LUA- files are stored in the directory /var/lua_session, the function iterates on all files in this directory and executes them using the function dofile without any validation if it is a valid session file or not. An attacker who is able to write a malicious file in the sessions directory can get RCE as root.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerzte

≫

Produkt zxhn_z500_firmware

Default Statusunknown

Version V1.0.1.1B2.1000

Status affected

Herstellerzte

≫

Produkt zxhn_e500_firmware

Default Statusunknown

Version V1.0.1.1B2.1000

Status affected

Herstellerzte

≫

Produkt zxhn_h108n_firmware

Default Statusunknown

Version V2.6.20.ROST12

Status affected

Herstellerzte

≫

Produkt zxhn_e2615_firmware

Default Statusunknown

Version V1.0.1

Status affected

Herstellerzte

≫

Produkt zxhn_e2603_firmware

Default Statusunknown

Version V1.0.1

Status affected

Herstellerzte

≫

Produkt zxhn_e2618_firmware

Default Statusunknown

Version V1.0.0.2B4.3000

Status affected

Herstellerzte

≫

Produkt zxhn_e1600_firmware

Default Statusunknown

Version V1.0.0.2B1.1000

Status affected

Herstellerzte

≫

Produkt zxhn_h338a_firmware

Default Statusunknown

Version V1.5.0_H3A.1T9P1-o

Status affected

Herstellerzte

≫

Produkt zxhn_h168n_firmware

Default Statusunknown

Version V3.5.5_CO.1T1

Status affected

Herstellerzte

≫

Produkt zxhn_h168a_firmware

Default Statusunknown

Version TTN.1T1_211029

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.16%	0.372

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://wr3nchsr.github.io/zte-multiple-routers-httpd-vulnerabilities-advisory/

https://nvd.nist.gov/vuln/detail/CVE-2024-45416

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-45416

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-45416

EUVD