CVE-2023-46681 (GCVE-0-2023-46681)
Vulnerability from cvelistv5
Published
2023-12-26 07:29
Modified
2024-08-02 20:53
Severity ?
CWE
  • Improper neutralization of argument delimiters in a command ('Argument Injection')
Summary
Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in VR-S1000 firmware Ver. 2.37 and earlier allows an authenticated attacker who can access to the product's command line interface to execute an arbitrary command.
References
Impacted products
Vendor Product Version
BUFFALO INC. VR-S1000 Version: firmware Ver. 2.37 and earlier
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T20:53:20.829Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.buffalo.jp/news/detail/20231225-01.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://jvn.jp/en/jp/JVN23771490/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "VR-S1000",
          "vendor": "BUFFALO INC.",
          "versions": [
            {
              "status": "affected",
              "version": "firmware Ver. 2.37 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Improper neutralization of argument delimiters in a command (\u0027Argument Injection\u0027) vulnerability in VR-S1000 firmware Ver. 2.37 and earlier allows an authenticated attacker who can access to the product\u0027s command line interface to execute an arbitrary command."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper neutralization of argument delimiters in a command (\u0027Argument Injection\u0027)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-26T07:29:17.894Z",
        "orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
        "shortName": "jpcert"
      },
      "references": [
        {
          "url": "https://www.buffalo.jp/news/detail/20231225-01.html"
        },
        {
          "url": "https://jvn.jp/en/jp/JVN23771490/"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce",
    "assignerShortName": "jpcert",
    "cveId": "CVE-2023-46681",
    "datePublished": "2023-12-26T07:29:17.894Z",
    "dateReserved": "2023-10-25T07:08:55.618Z",
    "dateUpdated": "2024-08-02T20:53:20.829Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-46681\",\"sourceIdentifier\":\"vultures@jpcert.or.jp\",\"published\":\"2023-12-26T08:15:10.247\",\"lastModified\":\"2024-11-21T08:29:03.727\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper neutralization of argument delimiters in a command (\u0027Argument Injection\u0027) vulnerability in VR-S1000 firmware Ver. 2.37 and earlier allows an authenticated attacker who can access to the product\u0027s command line interface to execute an arbitrary command.\"},{\"lang\":\"es\",\"value\":\"La neutralizaci\u00f3n incorrecta de delimitadores de argumentos en una vulnerabilidad de comando (\u0027Inyecci\u00f3n de argumentos\u0027) en la versi\u00f3n del firmware VR-S1000. 2.37 y anteriores permiten que un atacante autenticado que pueda acceder a la interfaz de l\u00ednea de comandos del producto ejecute un comando arbitrario.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-88\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:buffalo:vr-s1000_firmware:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.37\",\"matchCriteriaId\":\"C961815C-579A-4422-8C61-467B547E0D23\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:buffalo:vr-s1000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"45640129-5499-47CD-A890-A86F4B79B6C8\"}]}]}],\"references\":[{\"url\":\"https://jvn.jp/en/jp/JVN23771490/\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.buffalo.jp/news/detail/20231225-01.html\",\"source\":\"vultures@jpcert.or.jp\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://jvn.jp/en/jp/JVN23771490/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.buffalo.jp/news/detail/20231225-01.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.