Details of VAR-202307-1334

ID

VAR-202307-1334

CVE

CVE-2023-38100

TITLE

of netgear ProSAFE Network Management System In SQL Injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2023-028059

DESCRIPTION

NETGEAR ProSAFE Network Management System clearAlertByIds SQL Injection Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of NETGEAR ProSAFE Network Management System. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the clearAlertByIds function. The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-19724. (DoS) It may be in a state

Trust: 2.79

sources: NVD: CVE-2023-38100 // JVNDB: JVNDB-2023-028059 // ZDI: ZDI-23-916 // CNVD: CNVD-2024-33911

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2024-33911

AFFECTED PRODUCTS

vendor:	netgear	model:	prosafe network management system	scope:	lt	version:	1.7.0.20	Trust: 1.0
vendor:	ネットギア	model:	prosafe network management system	scope:	eq	version:	-	Trust: 0.8
vendor:	ネットギア	model:	prosafe network management system	scope:	-	version:	-	Trust: 0.8
vendor:	ネットギア	model:	prosafe network management system	scope:	eq	version:	1.7.0.20	Trust: 0.8
vendor:	netgear	model:	prosafe network management system	scope:	-	version:	-	Trust: 0.7
vendor:	netgear	model:	prosafe	scope:	-	version:	-	Trust: 0.6

sources: ZDI: ZDI-23-916 // CNVD: CNVD-2024-33911 // JVNDB: JVNDB-2023-028059 // NVD: CVE-2023-38100

CVSS

SEVERITY

CVSSV2

CVSSV3

zdi-disclosures@trendmicro.com:	CVE-2023-38100
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2023-38100
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-38100
value:	HIGH
Trust: 0.8
ZDI:	CVE-2023-38100
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2024-33911
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2024-33911
severity:	HIGH
baseScore:	9.0
vectorString:	AV:N/AC:L/AU:S/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.0
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

zdi-disclosures@trendmicro.com:	CVE-2023-38100
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.8
nvd@nist.gov:	CVE-2023-38100
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.1
Trust: 1.0
ZDI:	CVE-2023-38100
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-23-916 // CNVD: CNVD-2024-33911 // JVNDB: JVNDB-2023-028059 // NVD: CVE-2023-38100 // NVD: CVE-2023-38100

PROBLEMTYPE DATA

problemtype:	CWE-89	Trust: 1.0
problemtype:	SQL injection (CWE-89) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-028059 // NVD: CVE-2023-38100

PATCH

title:	NETGEAR has issued an update to correct this vulnerability.	url:	https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabilities-on-the-ProSAFE-Network-Management-System-PSV-2023-0024-PSV-2023-0025	Trust: 0.7
title:	Patch for NETGEAR ProSAFE SQL Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/574066	Trust: 0.6

sources: ZDI: ZDI-23-916 // CNVD: CNVD-2024-33911

EXTERNAL IDS

db:	NVD	id:	CVE-2023-38100	Trust: 3.9
db:	ZDI	id:	ZDI-23-916	Trust: 2.5
db:	JVNDB	id:	JVNDB-2023-028059	Trust: 0.8
db:	ZDI_CAN	id:	ZDI-CAN-19724	Trust: 0.7
db:	CNVD	id:	CNVD-2024-33911	Trust: 0.6

sources: ZDI: ZDI-23-916 // CNVD: CNVD-2024-33911 // JVNDB: JVNDB-2023-028059 // NVD: CVE-2023-38100

REFERENCES

url:	https://kb.netgear.com/000065707/security-advisory-for-multiple-vulnerabilities-on-the-prosafe-network-management-system-psv-2023-0024-psv-2023-0025	Trust: 2.5
url:	https://www.zerodayinitiative.com/advisories/zdi-23-916/	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-38100	Trust: 0.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2023-38100	Trust: 0.6

sources: ZDI: ZDI-23-916 // CNVD: CNVD-2024-33911 // JVNDB: JVNDB-2023-028059 // NVD: CVE-2023-38100

CREDITS

Steven Seeley of Source Incite

Trust: 0.7

sources: ZDI: ZDI-23-916

SOURCES

db:	ZDI	id:	ZDI-23-916
db:	CNVD	id:	CNVD-2024-33911
db:	JVNDB	id:	JVNDB-2023-028059
db:	NVD	id:	CVE-2023-38100

LAST UPDATE DATE

2025-02-08T23:03:09.276000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-23-916	date:	2023-07-13T00:00:00
db:	CNVD	id:	CNVD-2024-33911	date:	2024-07-30T00:00:00
db:	JVNDB	id:	JVNDB-2023-028059	date:	2025-02-07T01:28:00
db:	NVD	id:	CVE-2023-38100	date:	2025-02-06T18:01:21.237

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-23-916	date:	2023-07-13T00:00:00
db:	CNVD	id:	CNVD-2024-33911	date:	2024-07-25T00:00:00
db:	JVNDB	id:	JVNDB-2023-028059	date:	2025-02-07T00:00:00
db:	NVD	id:	CVE-2023-38100	date:	2024-05-03T02:15:52.800