Cyber Resilience

CVE-2023-5142

LowPublic PoC

Published: 24 September 2023

Published
24 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0032 55.0th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-5142 is a low-severity Path Traversal (CWE-22) vulnerability in H3C Gr-1100-P Firmware. Its CVSS base score is 3.7 (Low).

Operationally, ranked in the top 45.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A vulnerability classified as problematic was found in H3C GR-1100-P, GR-1108-P, GR-1200W, GR-1800AX, GR-2200, GR-3200, GR-5200, GR-8300, ER2100n, ER2200G2, ER3200G2, ER3260G2, ER5100G2, ER5200G2 and ER6300G2 up to 20230908. This vulnerability affects unknown code of the file /userLogin.asp of the component…

more

Config File Handler. The manipulation leads to path traversal. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. VDB-240238 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

h3c
gr-1100-p firmware
≤ 20230908
h3c
gr-1108-p firmware
≤ 20230908
h3c
gr-1200w firmware
≤ 20230908
h3c
gr-1800ax firmware
≤ 20230908
h3c
gr-2200 firmware
≤ 20230908
h3c
gr-3200 firmware
≤ 20230908
h3c
gr-5200 firmware
≤ 20230908
h3c
gr-8300 firmware
≤ 20230908
h3c
er3260g2 firmware
≤ 20230908
h3c
er5200g2 firmware
≤ 20230908
+5 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References