CVE-2023-3331 : Improper Limitation of a Pathname to a Restricted Directory vulnerability in NEC

Improper Limitation of a Pathname to a Restricted Directory vulnerability in NEC Corporation Aterm Aterm WG2600HP2, WG2600HP, WG2200HP, WG1800HP2, WG1800HP, WG1400HP, WG600HP, WG300HP, WF300HP, WR9500N, WR9300N, WR8750N, WR8700N, WR8600N, WR8370N, WR8175N and WR8170N all versions allows a attacker to delete specific files in the product.

Published 2023-06-28 02:15:50

Updated 2023-07-05 18:45:37

Source NEC Corporation

View at NVD, CVE.org

Vulnerability category: Directory traversal

Products affected by CVE-2023-3331

NEC » Aterm Wf300hp Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wf300hp_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wf300hp » Version: N/A
NEC » Aterm Wg1400hp Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wg1400hp_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wg1400hp » Version: N/A
NEC » Aterm Wg1800hp Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wg1800hp_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wg1800hp » Version: N/A
NEC » Aterm Wg1800hp2 Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wg1800hp2_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wg1800hp2 » Version: N/A
NEC » Aterm Wg2200hp Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wg2200hp_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wg2200hp » Version: N/A
NEC » Aterm Wg2600hp Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wg2600hp_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wg2600hp » Version: N/A
NEC » Aterm Wg2600hp2 Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wg2600hp2_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wg2600hp2 » Version: N/A
NEC » Aterm Wg300hp Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wg300hp_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wg300hp » Version: N/A
NEC » Aterm Wg600hp Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wg600hp_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wg600hp » Version: N/A
NEC » Aterm Wr8600n Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wr8600n_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wr8600n » Version: N/A
NEC » Aterm Wr8700n Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wr8700n_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wr8700n » Version: N/A
NEC » Aterm Wr8750n Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wr8750n_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wr8750n » Version: N/A
NEC » Aterm Wr9300n Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wr9300n_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wr9300n » Version: N/A
NEC » Aterm Wr9500n Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wr9500n_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wr9500n » Version: N/A
NEC » Aterm Wr8170n Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wr8170n_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wr8170n » Version: N/A
NEC » Aterm Wr8175n Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wr8175n_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wr8175n » Version: N/A
NEC » Aterm Wr8370n Firmware » Version: N/A
cpe:2.3:o:nec:aterm_wr8370n_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: NEC » Aterm Wr8370n » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-3331

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 31 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-3331

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.4	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L	2.8	2.5	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: Low Availability: Low

CWE ids for CVE-2023-3331

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Assigned by:
- nvd@nist.gov (Primary)
- psirt-info@cyber.jp.nec.com (Secondary)

References for CVE-2023-3331

https://https://jpn.nec.com/security-info/secinfo/nv23-007_en.html

Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-3331

Products affected by CVE-2023-3331

Exploit prediction scoring system (EPSS) score for CVE-2023-3331

CVSS scores for CVE-2023-3331

CWE ids for CVE-2023-3331

References for CVE-2023-3331