CVE-2023-22618
Improper access control in Nokia WaveLite Metro 200
Public disclosure |
02-10-2023 |
---|---|
Last updated |
02-10-2023 |
Vulnerability type |
Incorrect Access Control |
CVSS vector |
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:C/CR:H/IR:H/AR:H/MAV:L/MAC:H/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H |
CVSS score |
7.8 |
Description
If Security Hardening guide rules are not followed, then Wavelite is affected by a vulnerability that allows a local user to create new users with administrative priviledges by manipulating the web request.
Affected products and versions
Product |
Versions |
---|---|
WaveLite Metro 200 and Fan |
Before R2.1.1 |
WaveLite Metro 200 OPS and Fans |
Before R2.1.1 |
WaveLite Metro 200 and F2B Fans |
Before R2.1.1 |
WaveLite Metro 200 OPS and F2B Fans |
Before R2.1.1 |
WaveLite Metro 200 NE and F2B Fans |
Before R2.1.1 |
WaveLite Metro 200 NE OPS and F2B Fans |
Before R2.1.1 |
Mitigation plan
A fix has been made available in version R2.1.1
Acknowledgements
- Julien Szlamowicz-Czubak (Fenrisk)
References
Change history : Initial version is published on 02-10-2023