PT-2023-23562 · Ubiquiti+1 · Unifi Os+4
Published
2023-06-30
·
Updated
2024-11-26
·
CVE-2023-31997
CVSS v3.1
9.0
Critical
| Vector | AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
UniFi OS version 3.1
Cloud Key Gen2 running UniFi OS 3.1
Cloud Key Gen2 Plus running UniFi OS 3.1
Description
The issue is related to a misconfiguration in UniFi OS 3.1 that affects consoles running UniFi Network, allowing users on a local network to access MongoDB. This applies to Cloud Keys that are running UniFi OS 3.1 and hosting the UniFi Network application.
Recommendations
For UniFi OS version 3.1, consider restricting access to MongoDB until a patch is available.
For Cloud Key Gen2 running UniFi OS 3.1, restrict local network access to the UniFi Network application.
For Cloud Key Gen2 Plus running UniFi OS 3.1, limit the use of the console to authorized personnel only.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cloud Key Gen2
Cloud Key Gen2 Plus
Mongodb
Unifi Network
Unifi Os