CVE-2024-6343

A buffer overflow vulnerability in the CGI program of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series firmware versions from V4.16 through V5.38 could allow an authenticated attacker with administrator privileges to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:atp100:-:::::::*
	cpe:2.3:h:zyxel:atp100w:-:::::::*
	cpe:2.3:h:zyxel:atp200:-:::::::*
	cpe:2.3:h:zyxel:atp500:-:::::::*
	cpe:2.3:h:zyxel:atp700:-:::::::*
	cpe:2.3:h:zyxel:atp800:-:::::::*

Configuration 2 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:zyxel:usg_flex_100:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100ax:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_100w:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_200:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_50:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_500:-:::::::*
	cpe:2.3:h:zyxel:usg_flex_700:-:::::::*

Configuration 3 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_flex_50w:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:zyxel:zld:*:*:*:*:*:*:*:*

cpe:2.3:h:zyxel:usg_20w-vpn:-:*:*:*:*:*:*:*

History

13 Dec 2024, 16:14

Type	Values Removed	Values Added
First Time		Zyxel zld
CPE	cpe:2.3:o:zyxel:zld_firmware::::::::	cpe:2.3:o:zyxel:zld::::::::

05 Sep 2024, 14:35

Type	Values Removed	Values Added
First Time		Zyxel usg Flex 50 Zyxel atp800 Zyxel atp500 Zyxel atp700 Zyxel usg Flex 200 Zyxel usg Flex 500 Zyxel usg Flex 100ax Zyxel usg Flex 50w Zyxel usg Flex 100 Zyxel usg Flex 700 Zyxel usg Flex 100w Zyxel atp100w Zyxel Zyxel atp100 Zyxel atp200 Zyxel usg 20w-vpn Zyxel zld Firmware
References	~~() https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024 -~~	() https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-multiple-vulnerabilities-in-firewalls-09-03-2024 - Vendor Advisory
CPE		cpe:2.3:h:zyxel:atp500:-:::::::* cpe:2.3:h:zyxel:usg_flex_50w:-:::::::* cpe:2.3:h:zyxel:atp200:-:::::::* cpe:2.3:h:zyxel:usg_flex_100:-:::::::* cpe:2.3:h:zyxel:usg_flex_700:-:::::::* cpe:2.3:h:zyxel:usg_flex_100ax:-:::::::* cpe:2.3:h:zyxel:usg_20w-vpn:-:::::::* cpe:2.3:h:zyxel:atp800:-:::::::* cpe:2.3:h:zyxel:atp100w:-:::::::* cpe:2.3:h:zyxel:atp100:-:::::::* cpe:2.3:h:zyxel:usg_flex_50:-:::::::* cpe:2.3:h:zyxel:atp700:-:::::::* cpe:2.3:h:zyxel:usg_flex_200:-:::::::* cpe:2.3:o:zyxel:zld_firmware:::::::: cpe:2.3:h:zyxel:usg_flex_100w:-:::::::* cpe:2.3:h:zyxel:usg_flex_500:-:::::::*

03 Sep 2024, 12:59

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de desbordamiento de búfer en el programa CGI de las versiones de firmware de la serie Zyxel ATP de V4.32 a V5.38, las versiones de firmware de la serie USG FLEX de V4.50 a V5.38, las versiones de firmware de la serie USG FLEX 50(W) de V4.16 a V5.38 y las versiones de firmware de la serie USG20(W)-VPN de V4.16 a V5.38 podría permitir que un atacante autenticado con privilegios de administrador provoque condiciones de denegación de servicio (DoS) al enviar una solicitud HTTP manipulada a un dispositivo vulnerable.

03 Sep 2024, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-09-03 02:15

Updated : 2024-12-13 16:14

NVD link : CVE-2024-6343

Mitre link : CVE-2024-6343

CVE.ORG link : CVE-2024-6343

JSON object : View

Products Affected

zyxel

atp100w
usg_flex_100ax
atp200
usg_flex_500
usg_flex_100w
usg_flex_200
atp100
usg_flex_50
usg_flex_700
atp500
atp800
usg_flex_50w
usg_flex_100
atp700
usg_20w-vpn
zld

CWE

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

4.9 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

JSON object

Attach tags to CVE-2024-6343

4.9^/10

Attach tags to `CVE-2024-6343`