CVE-2023-38034 | Severity.io

Description

A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later.

Related CPE's

unifi_uap_firmware

Vulnerable

u6-enterprise-iw

unifi_switch_firmware

Vulnerable

usw-aggregation

usw-enterprise-24-poe

usw-enterprise-48-poe

usw-enterprise-8-poe

usw-enterprisexg-24

usw-lite-16-poe

usw-mission-critical

usw-pro-aggregation

References

https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56

Issue TrackingVendor Advisory

Weaknesses

[email protected]

Primary

CWE-77

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.8 · Critical

CVSS V3.1
CVSS V3.0
CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2023-08-10T19:15:09.803

11 months ago

Last modified

2023-08-17T14:42:06.533

11 months ago