CVE-2023-28461
Gravedad CVSS v3.1:
CRÍTICA
Tipo:
CWE-287
Autenticación incorrecta
Fecha de publicación:
15/03/2023
Última modificación:
14/03/2025
Descripción
*** Pendiente de traducción *** Array Networks Array AG Series and vxAG (9.4.0.481 and earlier) allow remote code execution. An attacker can browse the filesystem on the SSL VPN gateway using a flags attribute in an HTTP header without authentication. The product could then be exploited through a vulnerable URL. The 2023-03-09 vendor advisory stated "a new Array AG release with the fix will be available soon."
Impacto
Puntuación base 3.x
9.80
Gravedad 3.x
CRÍTICA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:o:arraynetworks:arrayos_ag:*:*:*:*:*:*:*:* | 9.4.0.481 (incluyendo) | |
| cpe:2.3:h:arraynetworks:ag1000:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1000t:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1000v5:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1100v5:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1150:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1200:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1200v5:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1500:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1500fips:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1500v5:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1600:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:ag1600v5:-:*:*:*:*:*:*:* | ||
| cpe:2.3:h:arraynetworks:vxag:-:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf
- https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/documentation/FieldNotice/Array_Networks_Security_Advisory_for_Remote_Code_Execution_Vulnerability_AG.pdf