Cyber Resilience

CVE-2023-38942

CriticalPublic PoCRCE

Published: 03 August 2023

Published
03 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0613 91.0th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38942 is a critical-severity Command Injection (CWE-77) vulnerability in Dango Dango-Translator. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Dango-Translator version 4.5.5 contains a remote command execution vulnerability tracked as CVE-2023-38942. The flaw resides in the app/config/cloud_config.json component and is classified under CWE-77, indicating improper neutralization of special elements used in a command. It received a CVSS 3.1 base score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

An unauthenticated attacker with network access can supply malicious input through the affected configuration component to execute arbitrary commands on the host system. Successful exploitation grants full confidentiality, integrity, and availability impact, allowing complete compromise of the target application and underlying system.

The provided references consist solely of the project's GitHub repository and an associated issue thread, with no explicit advisory text or patch details included in the source data. The EPSS score remains flat at 0.0613 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

Dango-Translator v4.5.5 was discovered to contain a remote command execution (RCE) vulnerability via the component app/config/cloud_config.json.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dango
dango-translator
4.5.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References