CVE-2023-38315: Null Pointer Dereference
First published: Fri Nov 17 2023(Updated: )
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a try_to_authenticate NULL pointer dereference that can be triggered with a crafted GET HTTP with a missing client token query string parameter. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition). Affected OpenNDS Captive Portal before version 10.1.2 fixed in OpenWrt master, OpenWrt 23.05 and OpenWrt 22.03 on 28. August 2023 by updating OpenNDS to version 10.1.3.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenNDS Captive Portal | <10.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-38315?
CVE-2023-38315 is a vulnerability in OpenNDS Captive Portal before version 10.1.2, where a crafted GET HTTP request can trigger a NULL pointer dereference, leading to a denial-of-service condition.
How severe is CVE-2023-38315?
CVE-2023-38315 has a severity rating of 7.5 out of 10, indicating a high severity vulnerability.
How can CVE-2023-38315 be exploited?
CVE-2023-38315 can be exploited by sending a crafted GET HTTP request with a missing client token query string parameter.
What is the affected software for CVE-2023-38315?
The affected software is OpenNDS Captive Portal before version 10.1.2.
Is there a fix available for CVE-2023-38315?
Yes, a fix is available in version 10.1.2 of OpenNDS Captive Portal.
- agent/event
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/author
- agent/severity
- agent/tags
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/opennds
- canonical/opennds captive portal