CVE-2023-38034

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-38034

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

A

command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later.

References
Link Resource
https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56 Issue Tracking Vendor Advisory
https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56 Issue Tracking Vendor Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:ui:unifi_uap_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:ui:u6\+:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:u6-enterprise:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:u6-enterprise-iw:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:u6-extender:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:u6-iw:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:u6-lite:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:u6-lr:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:u6-mesh:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:u6-pro:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:uap-ac-iw:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:uap-ac-lite:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:uap-ac-lr:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:uap-ac-m:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:uap-ac-m-pro:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:uap-ac-pro:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:ubb:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:ubb-xg:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:uwb-xg:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:ui:unifi_switch_firmware:*:*:*:*:*:*:*:*
OR cpe:2.3:h:ui:us-16-150w:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:us-24-250w:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:us-48-500w:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:us-8-150w:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:us-8-60w:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:us-xg-6poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-16-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-24:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-24-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-48:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-48-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-aggregation:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-enterprise-24-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-enterprise-48-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-enterprise-8-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-enterprisexg-24:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-flex:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-flex-xg:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-industrial:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-lite-16-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-lite-8-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-mission-critical:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-pro-24:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-pro-24-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-pro-48:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-pro-48-poe:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:usw-pro-aggregation:-:*:*:*:*:*:*:*
History

21 Nov 2024, 08:12

Type Values Removed Values Added
References () https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56 - Issue Tracking, Vendor Advisory () https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56 - Issue Tracking, Vendor Advisory
Information

Published : 2023-08-10 19:15

Updated : 2024-11-21 08:12

NVD link : CVE-2023-38034

Mitre link : CVE-2023-38034

CVE.ORG link : CVE-2023-38034

JSON object : View

Products Affected

ui

CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')