Asus RT-AX56U URL Parameter update_json path traversal

A vulnerability, which was classified as critical, was found in Asus RT-AX56U. This vulnerability is traded as CVE-2022-23970. EditHistoryDiffAPIJSONAPIXMLAPICSVSubmitLoginSignupVDB-196698·CVE-2022-23970AsusRT-AX56UURLParameterupdate_jsonpathtraversalEntryeditHistoryDiffjsonxmlCTICVSSMetaTempScoreCVSSisastandardizedscoringsystemtodeterminepossibilitiesofattacks.TheTempScoreconsiderstemporalfactorslikedisclosure,exploitandcountermeasures.TheuniqueMetaScorecalculatestheaveragescoreofdifferentsourcestoprovideanormalizedscoringsystem.CurrentExploitPrice(≈)Ouranalystsaremonitoringexploitmarketsandareincontactwithvulnerabilitybrokers.Therangeindicatestheobservedorcalculatedexploitpricetobeseenonexploitmarkets.Agoodindicatortounderstandthemonetaryeffortrequiredforandthepopularityofanattack.CTIInterestScoreOurCyberThreatIntelligenceteamismonitoringdifferentwebsites,mailinglists,exploitmarketsandsocialmedianetworks.TheCTIInterestScoreidentifiestheinterestofattackersandthesecuritycommunityforthisspecificvulnerabilityinreal-time.Ahighscoreindicatesanelevatedrisktobetargetedforthisvulnerability.7.1$0-$5k0.18Avulnerability,whichwasclassifiedascritical,wasfoundinAsusRT-AX56U(versionunknown).Affectedisthefunctionupdate_jsonofthecomponentURLParameterHandler.Themanipulationwithanunknowninputleadstoadirectorytraversalvulnerability.CWEisclassifyingtheissueasCWE-22.Thisisgoingtohaveanimpactonconfidentiality,integrity,andavailability.CVEsummarizes:ASUSRT-AX56U’supdate_jsonfunctionhasapathtraversalvulnerabilityduetoinsufficientfilteringforspecialcharactersintheURLparameter.AnunauthenticatedLANattackercanoverwriteasystemfilebyuploadinganotherfilewiththesamefilename,whichresultsinservicedisruption.Theweaknesswaspresented04/08/2022.Theadvisoryisavailableattwcert.org.tw.ThisvulnerabilityistradedasCVE-2022-23970since01/26/2022.Theexploitabilityistoldtobeeasy.Accesstothelocalnetworkisrequiredforthisattack.Theexploitationdoesn'trequireanyformofauthentication.Technicaldetailsareknown,butthereisnoavailableexploit.ThestructureofthevulnerabilitydefinesapossiblepricerangeofUSD$0-$5katthemoment(estimationcalculatedon04/09/2022).Thereisnoinformationaboutpossiblecountermeasuresknown.Itmaybesuggestedtoreplacetheaffectedobjectwithanalternativeproduct.ProductinfoeditVendorAsusNameRT-AX56UCPE2.3infoedit🔒CPE2.2infoedit🔒CVSSv3infoeditVulDBMetaBaseScore:7.2VulDBMetaTempScore:7.1VulDBBaseScore:6.3VulDBTempScore:6.1VulDBVector:🔒VulDBReliability:🔍CNABaseScore:8.1CNAVector(TWCERT/CC):🔒CVSSv2infoeditAVACAuCIA🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍🔍VectorComplexityAuthenticationConfidentialityIntegrityAvailabilityunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockunlockVulDBBaseScore:🔒VulDBTempScore:🔒VulDBReliability:🔍ExploitinginfoeditClass:DirectorytraversalCWE:CWE-22ATT&CK:UnknownLocal:NoRemote:PartiallyAvailability:🔒Status:NotdefinedEPSSScore:🔒EPSSPercentile:🔒PricePrediction:🔍CurrentPriceEstimation:🔒0-DayunlockunlockunlockunlockTodayunlockunlockunlockunlockThreatIntelligenceinfoeditInterest:🔍ActiveActors:🔍ActiveAPTGroups:🔍CountermeasuresinfoeditRecommended:nomitigationknownStatus:🔍0-DayTime:🔒Timelineinfoedit01/26/2022CVEreserved04/08/2022+71daysAdvisorydisclosed04/08/2022+0daysVulDBentrycreated04/09/2022+1daysVulDBlastupdateSourcesinfoeditVendor:asus.comAdvisory:twcert.org.twStatus:NotdefinedCVE:CVE-2022-23970(🔒)EntryinfoeditCreated:04/08/202212:55Updated:04/09/202211:02Changes:(1)source_cve_nvd_summaryComplete:🔍CommentsNocommentsyet.Languages:en.Pleaselogintocomment.◂PreviousOverviewNext▸DoyouwanttouseVulDBinyourproject?UsetheofficialAPItoaccessentrieseasily!