CVE-2023-31473

Name of the Vulnerable Software and Affected Versions GL.iNet devices versions prior to 3.216

Description An issue was discovered that allows for arbitrary file write, where an empty file can be created anywhere on the filesystem. This is caused by a command injection vulnerability with a filter applied, allowing an attacker to inject arbitrary parameters through the software installation feature. This can cause opkg to read an arbitrary file name while using root privileges, potentially using the -f option with a configuration file.

Recommendations For versions prior to 3.216, update to version 3.216 or later to resolve the issue. As a temporary workaround, consider restricting the use of the software installation feature to minimize the risk of exploitation. Avoid using the opkg command with the -f option and a configuration file until the issue is resolved.