CVE-2023-35802 : IQ Engine before 10.6r1 on Extreme Network AP devices has a Buffer Overflow in t

IQ Engine before 10.6r1 on Extreme Network AP devices has a Buffer Overflow in the implementation of the CAPWAP protocol that may be exploited to obtain elevated privileges to conduct remote code execution. Access to the internal management interface/subnet is required to conduct the exploit.

Published 2023-07-15 02:15:09

Updated 2023-07-26 21:39:29

Source MITRE

View at NVD, CVE.org

Vulnerability category: OverflowExecute code

Products affected by CVE-2023-35802

Extremenetworks » Iq Engine
Versions before (<) 10.6r1
cpe:2.3:o:extremenetworks:iq_engine:*:*:*:*:*:*:*:*
Matching versions
When used together with: Extremenetworks » Ap122 » Version: N/A
When used together with: Extremenetworks » Ap130 » Version: N/A
When used together with: Extremenetworks » Ap150w » Version: N/A
When used together with: Extremenetworks » Ap250 » Version: N/A
When used together with: Extremenetworks » Ap30 » Version: N/A
When used together with: Extremenetworks » Ap3000 » Version: N/A
When used together with: Extremenetworks » Ap3000x » Version: N/A
When used together with: Extremenetworks » Ap302w » Version: N/A
When used together with: Extremenetworks » Ap305c » Version: N/A
When used together with: Extremenetworks » Ap305c-1 » Version: N/A
When used together with: Extremenetworks » Ap305cx » Version: N/A
When used together with: Extremenetworks » Ap4000 » Version: N/A
When used together with: Extremenetworks » Ap4000-1 » Version: N/A
When used together with: Extremenetworks » Ap410c » Version: N/A
When used together with: Extremenetworks » Ap410c-1 » Version: N/A
When used together with: Extremenetworks » Ap460c » Version: N/A
When used together with: Extremenetworks » Ap460s12c » Version: N/A
When used together with: Extremenetworks » Ap460s6c » Version: N/A
When used together with: Extremenetworks » Ap5010 » Version: N/A
When used together with: Extremenetworks » Ap5050d » Version: N/A
When used together with: Extremenetworks » Ap5050u » Version: N/A
When used together with: Extremenetworks » Ap510c » Version: N/A
When used together with: Extremenetworks » Ap510cx » Version: N/A
When used together with: Extremenetworks » Ap630 » Version: N/A
When used together with: Extremenetworks » Ap650 » Version: N/A
When used together with: Extremenetworks » Ap650x » Version: N/A
Extremenetworks » Iq Engine
Versions before (<) 10.6r5
cpe:2.3:o:extremenetworks:iq_engine:*:*:*:*:*:*:*:*
Matching versions
When used together with: Extremenetworks » Ap1130 » Version: N/A
When used together with: Extremenetworks » Ap550 » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2023-35802

EPSS FAQ

2.77%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 85 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-35802

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-35802

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2023-35802

https://extremeportal.force.com/ExtrArticleDetail?an=000112741

Security Advisory: SA-2023-066 - IQ Engine CAPWAP buffer overflow (CVE-2023-35802) | Extreme Portal
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-35802

Products affected by CVE-2023-35802

Exploit prediction scoring system (EPSS) score for CVE-2023-35802

CVSS scores for CVE-2023-35802

CWE ids for CVE-2023-35802

References for CVE-2023-35802