CVE-2023-31474

Name of the Vulnerable Software and Affected Versions GL.iNet devices versions prior to 3.216

Description An issue was discovered that allows injecting arbitrary parameters in a request to cause opkg to obtain a list of files in a specific directory, by using the regex feature in a package name through the software installation feature.

Recommendations For versions prior to 3.216, update to version 3.216 or later to resolve the issue. As a temporary workaround, consider restricting access to the software installation feature until a patch is applied. Avoid using the regex feature in package names to minimize the risk of exploitation.