CVE-2023-22581 - White Rabbit Switch - Unauthenticated remote code execution

CVE

CVE-2023-22581

Case

DIVD-2022-00068

Discovered by

Tom Wolters (Chapter8)

Credits

Tom Wolters (Chapter8)
Victor Pasman (DIVD)

Affected products

Product	Affected	Unaffected	Unknown
CERN White Rabbit Switch	>= v.x.y.z < v6.0.1 to < v6.0.1
CERN White Rabbit Switch		everything else

Page author

Victor Pasman

CVSS

Base score: 9.8 (CRITICAL)

References

https://csirt.divd.nl/CVE-2023-22581/ ( third-party-advisory )
https://csirt.divd.nl/DIVD-2022-00068/ ( third-party-advisory )

Problem type(s)

CWE-20 Improper Input Validation

Impact(s)

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs

Last modified

12 May 2023 11:55

Description

White Rabbit Switch contains a vulnerability which makes it possible for an attacker to perform system commands under the context of the web application (the default installation makes the webserver run as the root user).

JSON version

DIVD CSIRT

CVE-2023-22581 - White Rabbit Switch - Unauthenticated remote code execution

Description