CVE-2023-42130
Published: 03 May 2024
Summary
CVE-2023-42130 is a high-severity Path Traversal (CWE-22) vulnerability in A10Networks Advanced Core Operating System. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-42130 is a directory traversal vulnerability in the FileMgmtExport class of A10 Thunder ADC that permits arbitrary file read and deletion. The flaw stems from insufficient validation of user-supplied paths before they are used in file operations, and it carries a CVSS 3.1 score of 8.8 with CWE-22.
Authenticated remote attackers can exploit the issue to read or delete arbitrary files on affected installations in the context of the service account. No unauthenticated access vector is described.
A10 Networks has published a security advisory for the file-access vulnerability, available alongside the Zero Day Initiative disclosure at the referenced URLs. The EPSS score has remained at 0.1131 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-46589
Vulnerability details
A10 Thunder ADC FileMgmtExport Directory Traversal Arbitrary File Read and Deletion Vulnerability. This vulnerability allows remote attackers to read and delete arbitrary files on affected installations of A10 Thunder ADC. Authentication is required to exploit this vulnerability. The specific flaw…
more
exists within the FileMgmtExport class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to read and delete files in the context of the service account. . Was ZDI-CAN-17905.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.