Headline
CVE-2023-3330: NV23-007_en: セキュリティ情報 | NEC
Improper Limitation of a Pathname to a Restricted Directory vulnerability in NEC Corporation Aterm WG2600HP2, WG2600HP, WG2200HP, WG1800HP2, WG1800HP, WG1400HP, WG600HP, WG300HP, WF300HP, WR9500N, WR9300N, WR8750N, WR8700N, WR8600N, WR8370N, WR8175N and WR8170N all versions allows a attacker to obtain specific files in the product.
Multiple vulnerabilities in Aterm series
Number:NV23-007
CVE:CVE-2023-3330, CVE-2023-3331, CVE-2023-3332, CVE-2023-3333
JVN:JVN#38343415
Overview
CVE-2023-3330: File Viewing Vulnerability.
CVE-2023-3331: File deletion vulnerability.
CVE-2023-3332: An attacker who has obtained high privileges can execute arbitrary scripts.
CVE-2023-3333: An attacker who has obtained high privileges can execute arbitrary OS commands as root.
Products Affected
Aterm
Affected Version
All versions listed below
- WG2600HP2
- WG2600HP
- WG2200HP
- WG1800HP2
- WG1800HP
- WG1400HP
- WG600HP
- WG300HP
- WF300HP
- WR9500N
- WR9300N
- WR8750N
- WR8700N
- WR8600N
- WR8370N
- WR8175N
- WR8170N
Solution
References
Credit
reported by Mr. Taizoh Tsukamoto in Mitsui Bussan Secure Directions, Inc. through IPA.
Update
2023/07/03
Update Products Affected and References.
2023/06/27
First edition.
Related news
Improper Neutralization of Special Elements used in an OS Command vulnerability in NEC Corporation Aterm WG2200HP all versions allows a attacker to execute an arbitrary OS command with the root privilege, after obtaining a high privilege exploiting CVE-2023-3330 and CVE-2023-3331 vulnerabilities.