Skip to main content

CVE-2023-22618
Improper access control in Nokia WaveLite Metro 200

Public disclosure

02-10-2023

Last updated

02-10-2023

Vulnerability type

Incorrect Access Control

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:W/RC:C/CR:H/IR:H/AR:H/MAV:L/MAC:H/MPR:N/MUI:N/MS:C/MC:H/MI:H/MA:H

CVSS score

7.8

Description

If Security Hardening guide rules are not followed, then Wavelite is affected by a vulnerability that allows a local user to create new users with administrative priviledges by manipulating the web request.

Affected products and versions

Product

Versions

WaveLite Metro 200 and Fan

Before R2.1.1

WaveLite Metro 200 OPS and Fans

Before R2.1.1

WaveLite Metro 200 and F2B Fans

Before R2.1.1

WaveLite Metro 200 OPS and F2B Fans

Before R2.1.1

WaveLite Metro 200 NE and F2B Fans

Before R2.1.1

WaveLite Metro 200 NE OPS and F2B Fans

Before R2.1.1

Mitigation plan

A fix has been made available in version R2.1.1

Acknowledgements

  • Julien Szlamowicz-Czubak (Fenrisk)

References

Change history : Initial version is published on 02-10-2023