CVE-2023-38034

CVSS V2 None CVSS V3 None

Description

A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later.

Overview

CVE ID
CVE-2023-38034

Assigner
support@hackerone.com

Vulnerability Status
Analyzed

Published Version
2023-08-10T19:15:09

Last Modified Date
2023-08-17T14:42:06

Weakness Enumerations

CWE	URL
CWE-77	http://cwe.mitre.org/data/definitions/77.html

CPE Configuration (Product)

CPE	Vulnerable	Operator	Version End
		AND
cpe:2.3:o:ui:unifi_uap_firmware::::::::	1	OR	6.5.53
cpe:2.3:h:ui:u6\+:-:::::::*	0	OR
cpe:2.3:h:ui:u6-enterprise:-:::::::*	0	OR
cpe:2.3:h:ui:u6-enterprise-iw:-:::::::*	0	OR
cpe:2.3:h:ui:u6-extender:-:::::::*	0	OR
cpe:2.3:h:ui:u6-iw:-:::::::*	0	OR
cpe:2.3:h:ui:u6-lite:-:::::::*	0	OR
cpe:2.3:h:ui:u6-lr:-:::::::*	0	OR
cpe:2.3:h:ui:u6-mesh:-:::::::*	0	OR
cpe:2.3:h:ui:u6-pro:-:::::::*	0	OR
cpe:2.3:h:ui:uap-ac-iw:-:::::::*	0	OR
cpe:2.3:h:ui:uap-ac-lite:-:::::::*	0	OR
cpe:2.3:h:ui:uap-ac-lr:-:::::::*	0	OR
cpe:2.3:h:ui:uap-ac-m:-:::::::*	0	OR
cpe:2.3:h:ui:uap-ac-m-pro:-:::::::*	0	OR
cpe:2.3:h:ui:uap-ac-pro:-:::::::*	0	OR
cpe:2.3:h:ui:ubb:-:::::::*	0	OR
cpe:2.3:h:ui:ubb-xg:-:::::::*	0	OR
cpe:2.3:h:ui:uwb-xg:-:::::::*	0	OR
		AND
cpe:2.3:o:ui:unifi_switch_firmware::::::::	1	OR	6.5.32
cpe:2.3:h:ui:us-16-150w:-:::::::*	0	OR
cpe:2.3:h:ui:us-24-250w:-:::::::*	0	OR
cpe:2.3:h:ui:us-48-500w:-:::::::*	0	OR
cpe:2.3:h:ui:us-8-150w:-:::::::*	0	OR
cpe:2.3:h:ui:us-8-60w:-:::::::*	0	OR
cpe:2.3:h:ui:us-xg-6poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-16-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-24:-:::::::*	0	OR
cpe:2.3:h:ui:usw-24-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-48:-:::::::*	0	OR
cpe:2.3:h:ui:usw-48-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-aggregation:-:::::::*	0	OR
cpe:2.3:h:ui:usw-enterprise-24-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-enterprise-48-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-enterprise-8-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-enterprisexg-24:-:::::::*	0	OR
cpe:2.3:h:ui:usw-flex:-:::::::*	0	OR
cpe:2.3:h:ui:usw-flex-xg:-:::::::*	0	OR
cpe:2.3:h:ui:usw-industrial:-:::::::*	0	OR
cpe:2.3:h:ui:usw-lite-16-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-lite-8-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-mission-critical:-:::::::*	0	OR
cpe:2.3:h:ui:usw-pro-24:-:::::::*	0	OR
cpe:2.3:h:ui:usw-pro-24-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-pro-48:-:::::::*	0	OR
cpe:2.3:h:ui:usw-pro-48-poe:-:::::::*	0	OR
cpe:2.3:h:ui:usw-pro-aggregation:-:::::::*	0	OR

References

Reference URL	Reference Tags
https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56	Issue Tracking Vendor Advisory

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2023-38034
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38034

History

Created	Old Value	New Value	Data Type	Notes
2023-09-06 03:31:14				Added to TrackCVE
2023-09-06 03:31:16			Weakness Enumeration	new