CVE-2024-27356

Name of the Vulnerable Software and Affected Versions: GL-iNet MT6000 version 4.5.5 GL-iNet XE3000 version 4.4.4 GL-iNet X3000 version 4.4.5 GL-iNet MT3000 version 4.5.0 GL-iNet MT2500 version 4.5.0 GL-iNet AXT1800 version 4.5.0 GL-iNet AX1800 version 4.5.0 GL-iNet A1300 version 4.5.0 GL-iNet S200 version 4.1.4-0300 GL-iNet X750 version 4.3.7 GL-iNet SFT1200 version 4.3.7 GL-iNet XE300 version 4.3.7 GL-iNet MT1300 version 4.3.10 GL-iNet AR750 version 4.3.10 GL-iNet AR750S version 4.3.10 GL-iNet AR300M version 4.3.10 GL-iNet AR300M16 version 4.3.10 GL-iNet B1300 version 4.3.10 GL-iNet MT300N-v2 version 4.3.10 GL-iNet X300B version 3.217 GL-iNet S1300 version 3.216 GL-iNet SF1200 version 3.216 GL-iNet MV1000 version 3.216 GL-iNet N300 version 3.216 GL-iNet B2200 version 3.216 GL-iNet X1200 version 3.203

Description: An issue was discovered on certain GL-iNet devices, where attackers can download files such as logs via commands, potentially obtaining critical user information. The vulnerability is related to the use of an insecure path in the process of exporting logs, which may allow a remote attacker to gain unauthorized access to protected information and download arbitrary files.

Recommendations: For GL-iNet MT6000 version 4.5.5, update to a newer version that contains a fix for this issue. For GL-iNet XE3000 version 4.4.4, update to a newer version that contains a fix for this issue. For GL-iNet X3000 version 4.4.5, update to a newer version that contains a fix for this issue. For GL-iNet MT3000 version 4.5.0, update to a newer version that contains a fix for this issue. For GL-iNet MT2500 version 4.5.0, update to a newer version that contains a fix for this issue. For GL-iNet AXT1800 version 4.5.0, update to a newer version that contains a fix for this issue. For GL-iNet AX1800 version 4.5.0, update to a newer version that contains a fix for this issue. For GL-iNet A1300 version 4.5.0, update to a newer version that contains a fix for this issue. For GL-iNet S200 version 4.1.4-0300, update to a newer version that contains a fix for this issue. For GL-iNet X750 version 4.3.7, update to a newer version that contains a fix for this issue. For GL-iNet SFT1200 version 4.3.7, update to a newer version that contains a fix for this issue. For GL-iNet XE300 version 4.3.7, update to a newer version that contains a fix for this issue. For GL-iNet MT1300 version 4.3.10, update to a newer version that contains a fix for this issue. For GL-iNet AR750 version 4.3.10, update to a newer version that contains a fix for this issue. For GL-iNet AR750S version 4.3.10, update to a newer version that contains a fix for this issue. For GL-iNet AR300M version 4.3.10, update to a newer version that contains a fix for this issue. For GL-iNet AR300M16 version 4.3.10, update to a newer version that contains a fix for this issue. For GL-iNet B1300 version 4.3.10, update to a newer version that contains a fix for this issue. For GL-iNet MT300N-v2 version 4.3.10, update to a newer version that contains a fix for this issue. For GL-iNet X300B version 3.217, update to a newer version that contains a fix for this issue. For GL-iNet S1300 version 3.216, update to a newer version that contains a fix for this issue. For GL-iNet SF1200 version 3.216, update to a newer version that contains a fix for this issue. For GL-iNet MV1000 version 3.216, update to a newer version that contains a fix for this issue. For GL-iNet N300 version 3.216, update to a newer version that contains a fix for this issue. For GL-iNet B2200 version 3.216, update to a newer version that contains a fix for this issue. For GL-iNet X1200 version 3.203, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the log export functionality until a patch is available.