Security Bulletin
This security bulletin contains information about 1 vulnerabilities.
Updated 20.06.2023
Added vulnerable products.
EUVDB-ID: #VU77113
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-31195
CWE-ID:
CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected application uses sensitive cookies without "Secure" attribute. A remote attacker can perform a man-in-the-middle attack and gain access to sensitive cookies.
MitigationInstall updates from vendor's website.
Vulnerable software versionsRT-AX3000: before 3.0.0.4.388.23403
GT6: before 3.0.0.4.388.23145
GT-AXE16000: before 3.0.0.4.388.23012
GT-AXE11000 PRO: before 3.0.0.4.388.23285
GT-AXE11000: before 3.0.0.4.388.23482
GT-AX6000: before 3.0.0.4.388.23285
GT-AX11000: before 3.0.0.4.388.23285
GS-AX5400: before 3.0.0.4.388.23012
GS-AX3000: before 1.4.8.3
ZenWiFi XT9: before 3.0.0.4.388.23285
ZenWiFi XT8: before 3.0.0.4.388.23285
ZenWiFi XT8_V2: before 3.0.0.4.388.23285
RT-AX86U PRO: before 3.0.0.4.388.23285
RT-AX86U: before 3.0.0.4.388.23285
RT-AX86S: before 3.0.0.4.388.23285
RT-AX82U: before 3.0.0.4.388.23285
RT-AX58U: before 3.0.0.4.388.23403
TUF-AX6000: before 3.0.0.4.388.31927
TUF-AX5400: before 3.0.0.4.388.23285
External linkshttp://jvn.jp/en/jp/JVN34232595/index.html
http://www.hkcert.org/security-bulletin/asus-router-multiple-vulnerabilities_20230620
http://www.asus.com/content/asus-product-security-advisory/#06/19/2023
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.