CVE-2023-38322
First published: Fri Nov 17 2023(Updated: )
An issue was discovered in OpenNDS Captive Portal before version 10.1.2. It has a do_binauth NULL pointer dereference that be triggered with a crafted GET HTTP request with a missing User-Agent HTTP header. Triggering this issue results in crashing OpenNDS (a Denial-of-Service condition). The issue occurs when the client is about to be authenticated, and can be triggered only when the BinAuth option is set.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| OpenNDS Captive Portal | <10.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-38322?
CVE-2023-38322 is a vulnerability in OpenNDS Captive Portal before version 10.1.2 that allows a NULL pointer dereference, leading to a Denial-of-Service condition.
How severe is CVE-2023-38322?
CVE-2023-38322 has a severity rating of 7.5 (high).
How can CVE-2023-38322 be triggered?
CVE-2023-38322 can be triggered with a crafted GET HTTP request with a missing User-Agent HTTP header.
What is the affected software version of CVE-2023-38322?
The affected software version of CVE-2023-38322 is OpenNDS Captive Portal up to and excluding version 10.1.2.
Is there a fix for CVE-2023-38322?
Yes, updating to OpenNDS Captive Portal version 10.1.2 or later fixes CVE-2023-38322.
- collector/mitre-cve
- collector/nvd-api
- vendor/opennds
- product/captive portal
- canonical/opennds captive portal